RESOLVED FIXED146807
SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector. 
https://bugs.webkit.org/show_bug.cgi?id=146807
Summary SymbolTable::entryFor() should do a bounds check before indexing into the loc...
Mark Lam
Reported 2015-07-09 14:01:58 PDT
When we capture an argument by name and we use "arguments", we put all of the arguments into the scope. But destructured arguments are put into the scope anonymously i.e. the SymbolTable knows that the scope offset is in use via SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in SymbolTable::m_map. The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will have a size which is based on the largest ScopeOffset in the m_map. If we have a scenario where the anonymous argument is at a higher ScopeOffset than all the named arguments, then the m_localsToEntry will not have an entry for it i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of the anonymous argument. Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is within the bounds of the m_localToEntry vector before indexing into it.
Attachments
the patch: testing is in progress. (2.38 KB, patch)
2015-07-09 14:11 PDT, Mark Lam 		fpizlo: review-
DetailsFormatted DiffDiff
patch 2: fixed bug found by Fil. (2.38 KB, patch)
2015-07-09 14:55 PDT, Mark Lam 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2015-07-09 14:03:31 PDT
<rdar://problem/20975495>
Mark Lam
Comment 2 2015-07-09 14:11:55 PDT
Created attachment 256516 [details] the patch: testing is in progress.
Filip Pizlo
Comment 3 2015-07-09 14:21:00 PDT
Comment on attachment 256516 [details] the patch: testing is in progress. View in context: https://bugs.webkit.org/attachment.cgi?id=256516&action=review > Source/JavaScriptCore/runtime/SymbolTable.cpp:133 > + auto toEntryVector = localToEntry(locker); This should be auto&
Mark Lam
Comment 4 2015-07-09 14:55:13 PDT
Created attachment 256527 [details] patch 2: fixed bug found by Fil.
Mark Lam
Comment 5 2015-07-09 16:00:20 PDT
All tests have passed with no new failures. EWS bot test failures appear to be due to pre-existing conditions. Patch landed in r186643: <http://trac.webkit.org/r186643>.
Note You need to log in before you can comment on or make changes to this bug.