Changeset 283632 in webkit


Ignore:
Timestamp:
Oct 6, 2021, 10:31:44 AM (3 years ago)
Author:
mark.lam@apple.com
Message:

Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
https://bugs.webkit.org/show_bug.cgi?id=231252
rdar://83310320

Reviewed by Yusuke Suzuki.

We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
Adding a null check here as a speculative fix to mitigate crashes while we
investigate further.

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r283623 r283632  
     12021-10-06  Mark Lam  <mark.lam@apple.com>
     2
     3        Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
     4        https://bugs.webkit.org/show_bug.cgi?id=231252
     5        rdar://83310320
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
     10        Adding a null check here as a speculative fix to mitigate crashes while we
     11        investigate further.
     12
     13        * dfg/DFGByteCodeParser.cpp:
     14        (JSC::DFG::ByteCodeParser::parseBlock):
     15        (JSC::DFG::ByteCodeParser::handlePutByVal):
     16
    1172021-10-06  Saam Barati  <sbarati@apple.com>
    218
  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r283623 r283632  
    64846484                        addToGraph(CheckIsConstant, OpInfo(frozen), property);
    64856485                    } else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
    6486                         if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
     6486                        auto* impl = string->tryGetValueImpl();
     6487                        ASSERT(impl); // FIXME: rdar://83902782
     6488                        if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
    64876489                            uid = bitwise_cast<UniquedStringImpl*>(impl);
    64886490                            propertyCell = string;
     
    88788880                addToGraph(CheckIsConstant, OpInfo(frozen), property);
    88798881            } else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
    8880                 if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
     8882                auto* impl = string->tryGetValueImpl();
     8883                ASSERT(impl); // FIXME: rdar://83902782
     8884                if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
    88818885                    uid = bitwise_cast<UniquedStringImpl*>(impl);
    88828886                    propertyCell = string;
Note: See TracChangeset for help on using the changeset viewer.