RESOLVED FIXED 27016
Interpreter crashes due to invalid array indexes 
https://bugs.webkit.org/show_bug.cgi?id=27016
Summary Interpreter crashes due to invalid array indexes
Zack Rusin
Reported 2009-07-06 18:01:05 PDT
In gcc 4.3.3 when array subscripts are expressions which contain a mix of signed and unsigned operands the result will be unsigned. It's a cause of crashes in the interpreter. The attached patch fixes the crashes but it's possible that there are other codepaths which are similarly broken. A simple testcase to see if you can reproduce it with the compiler of your choice is: #define CRASH 0 int array[] = { -50, -40, -30, -20, -10, 0, 10, 20, 30, 40, 50 }; int main(int argc, char **) { int *ptr = array + 5; unsigned i = argc; int k = 3 * i; #if CRASH int num = ptr[i - k]; #else int num = ptr[(int)(i - k)]; #endif fprintf(stderr, "num is %d\n", num); }
Attachments
simple fix (1.40 KB, patch)
2009-07-06 18:02 PDT, Zack Rusin 		no flags
DetailsFormatted DiffDiff
fixeration! (2.80 KB, patch)
2009-07-06 23:05 PDT, Oliver Hunt 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Zack Rusin
Comment 1 2009-07-06 18:02:08 PDT
Created attachment 32337 [details] simple fix
Oliver Hunt
Comment 2 2009-07-06 23:05:32 PDT
Created attachment 32361 [details] fixeration!
Darin Adler
Comment 3 2009-07-06 23:50:45 PDT
Comment on attachment 32361 [details] fixeration! Test case? Why int32_t instead of just int? r=me
Oliver Hunt
Comment 4 2009-07-09 19:44:50 PDT
Committed r45693
Oliver Hunt
Comment 5 2009-07-09 19:45:19 PDT
*** Bug 26116 has been marked as a duplicate of this bug. ***
Oliver Hunt
Comment 6 2009-07-09 19:45:40 PDT
*** Bug 26553 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.