Ignore:
Timestamp:
Jan 13, 2015, 11:42:36 AM (11 years ago)
Author:
[email protected]
Message:

Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
https://bugs.webkit.org/show_bug.cgi?id=140397

Reviewed by Geoffrey Garen.

Patch by Alexey Proskuryakov.

Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.

No performance change.

No test, since this is a small past-the-end read, which is very
difficult to turn into a reproducible failing test -- and existing tests
crash reliably using ASan.

  • bytecompiler/NodesCodegen.cpp:

(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::DeleteBracketNode::emitBytecode):
(JSC::DeleteDotNode::emitBytecode):
(JSC::PrefixNode::emitResolve):
(JSC::UnaryOpNode::emitBytecode):
(JSC::BitwiseNotNode::emitBytecode):
(JSC::BinaryOpNode::emitBytecode):
(JSC::EqualNode::emitBytecode):
(JSC::StrictEqualNode::emitBytecode):
(JSC::ThrowableBinaryOpNode::emitBytecode):
(JSC::AssignDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
register used across a call to a function that might allocate a new
temporary register must be held in a RefPtr.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r178364 r178365  
     12015-01-13  Geoffrey Garen  <[email protected]>
     2
     3        Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
     4        https://bugs.webkit.org/show_bug.cgi?id=140397
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        Patch by Alexey Proskuryakov.
     9
     10        Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
     11
     12        No performance change.
     13
     14        No test, since this is a small past-the-end read, which is very
     15        difficult to turn into a reproducible failing test -- and existing tests
     16        crash reliably using ASan.
     17
     18        * bytecompiler/NodesCodegen.cpp:
     19        (JSC::BracketAccessorNode::emitBytecode):
     20        (JSC::DotAccessorNode::emitBytecode):
     21        (JSC::FunctionCallBracketNode::emitBytecode):
     22        (JSC::PostfixNode::emitResolve):
     23        (JSC::DeleteBracketNode::emitBytecode):
     24        (JSC::DeleteDotNode::emitBytecode):
     25        (JSC::PrefixNode::emitResolve):
     26        (JSC::UnaryOpNode::emitBytecode):
     27        (JSC::BitwiseNotNode::emitBytecode):
     28        (JSC::BinaryOpNode::emitBytecode):
     29        (JSC::EqualNode::emitBytecode):
     30        (JSC::StrictEqualNode::emitBytecode):
     31        (JSC::ThrowableBinaryOpNode::emitBytecode):
     32        (JSC::AssignDotNode::emitBytecode):
     33        (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
     34        register used across a call to a function that might allocate a new
     35        temporary register must be held in a RefPtr.
     36
    1372015-01-12  Michael Saboff  <[email protected]>
    238
Note: See TracChangeset for help on using the changeset viewer.