NEW 258757
Undefined behavior in FunctionExecutable::lastLine() 
https://bugs.webkit.org/show_bug.cgi?id=258757
Summary Undefined behavior in FunctionExecutable::lastLine()
Chris Dumez
Reported 2023-06-30 16:40:21 PDT
Undefined behavior in FunctionExecutable::lastLine() when running media/modern-media-controls/pip-support/pip-support-click.html with UBSan: ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Volumes/Work/WebKit/OpenSource/WebKitBuild/Release/DerivedSources/JavaScriptCore/BytecodeStructs.h:16853:71 in runtime/FunctionExecutable.h:208:28: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' ``` Code looks like: ``` int lastLine() const { return firstLine() + lineCount(); } ``` Looks to me that lineCount() returns either an uninitialized value or -1 that was casted to an unsigned type.
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2023-06-30 16:43:07 PDT
UnlinkedFunctionExecutable::m_lineCount is declared like so: ``` unsigned m_lineCount : 31; ``` It gets initialized like so: ``` , m_lineCount(node->lastLine() - node->firstLine()) ``` Node::firstLine() is declared like so: ``` int firstLine() const { return m_position.line; } ``` JSTextPosition()'s default constructor initializes its default data members to -1: ``` // FIXME: these should be unsigned. int line { -1 }; int offset { -1 }; int lineStartOffset { -1 }; ```
Radar WebKit Bug Importer
Comment 2 2023-07-07 16:41:16 PDT
<rdar://problem/111933032>
Note You need to log in before you can comment on or make changes to this bug.