Our profiling is good, so we never really run into this issue. We'd probably hit this bug way more often if we random-fuzzed the value injection types. However, once we've locked down a Variable's flushFormat, it's wrong to give it a type wider than that. E.g, we even assert that much in AI: ``` case GetLocal: { VariableAccessData* variableAccessData = node->variableAccessData(); AbstractValue value = m_state.operand(variableAccessData->local().offset()); // The value in the local should already be checked. DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat()))); if (value.value()) m_state.setFoundConstants(true); setForNode(node, value); break; } ```
Created attachment 367438 [details] patch
Attachment 367438 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:17: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzing [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 367438 [details] patch r=me
Comment on attachment 367438 [details] patch Clearing flags on attachment: 367438 Committed r244287: <https://trac.webkit.org/changeset/244287>
All reviewed patches have been landed. Closing bug.
<rdar://problem/49915815>
*** Bug 196967 has been marked as a duplicate of this bug. ***
Thank you