Changeset 283632 in webkit
- Timestamp:
- Oct 6, 2021, 10:31:44 AM (3 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r283623 r283632 1 2021-10-06 Mark Lam <mark.lam@apple.com> 2 3 Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal. 4 https://bugs.webkit.org/show_bug.cgi?id=231252 5 rdar://83310320 6 7 Reviewed by Yusuke Suzuki. 8 9 We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal(). 10 Adding a null check here as a speculative fix to mitigate crashes while we 11 investigate further. 12 13 * dfg/DFGByteCodeParser.cpp: 14 (JSC::DFG::ByteCodeParser::parseBlock): 15 (JSC::DFG::ByteCodeParser::handlePutByVal): 16 1 17 2021-10-06 Saam Barati <sbarati@apple.com> 2 18 -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r283623 r283632 6484 6484 addToGraph(CheckIsConstant, OpInfo(frozen), property); 6485 6485 } else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) { 6486 if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) { 6486 auto* impl = string->tryGetValueImpl(); 6487 ASSERT(impl); // FIXME: rdar://83902782 6488 if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) { 6487 6489 uid = bitwise_cast<UniquedStringImpl*>(impl); 6488 6490 propertyCell = string; … … 8878 8880 addToGraph(CheckIsConstant, OpInfo(frozen), property); 8879 8881 } else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) { 8880 if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) { 8882 auto* impl = string->tryGetValueImpl(); 8883 ASSERT(impl); // FIXME: rdar://83902782 8884 if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) { 8881 8885 uid = bitwise_cast<UniquedStringImpl*>(impl); 8882 8886 propertyCell = string;
Note:
See TracChangeset
for help on using the changeset viewer.