Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
Alexey says: When using a preliminary version of a patch that enables ASan bounds checking for WTF:Vector, I keep hitting this crash under DotAccessorNode::emitBytecode. It looks like an actual issue in JSC, not just a mistake in the WIP patch. Steps to reproduce: 1. Apply patch 2. Load <about:blank> in Safari. Results: Crash when running Safari injected bundleJS code. Looks like what happens is: 1. RegisterID* base = generator.emitNode(m_base); adds a register. 2. generator.finalDestination(dst); calls BytecodeGenerator::newTemporary(), which reclaims some unreferenced registers, including the base. 3. The base is then used in a call to emitGetById().
<rdar://problem/19437740>
Created attachment 244527 [details] Patch
Committed r178365: <http://trac.webkit.org/changeset/178365>