[webkit-changes] [WebKit/WebKit] 6a3bc9: Cherry-pick 252432.1031 at safari-7614-branch (9f7e40...
Commit Queue
noreply at github.com
Tue Mar 28 17:06:15 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6a3bc9e418ddb694dee46c4e42a9f2884296bbaa
https://github.com/WebKit/WebKit/commit/6a3bc9e418ddb694dee46c4e42a9f2884296bbaa
Author: David Degazio <d_degazio at apple.com>
Date: 2023-03-28 (Tue, 28 Mar 2023)
Changed paths:
A JSTests/stress/cell-speculated-array-indexof.js
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Log Message:
-----------
Cherry-pick 252432.1031 at safari-7614-branch (9f7e401c42a8). rdar://107335776
Fix use-after-free in DFGFixupPhase for array indexOf
https://bugs.webkit.org/show_bug.cgi?id=250429
rdar://103852510
Reviewed by Jonathan Bedard and Michael Saboff.
During DFG fixup, array indexOf nodes are folded to -1 when the search element is speculated
to be a different type than the array element (for instance, JSCell instead of Int32). When
this happens, a speculation check is inserted, which can cause the DFG graph's varArgChildren
array to reallocate. This invalidates the searchElement Edge reference, which we use
immediately after the check insertion in the fixup phase. This patch fixes this potential
use-after-free by grabbing the searchElement's associated node before inserting any checks,
giving us a persistent pointer to a DFG node rather than a reference into a vector.
* JSTests/stress/cell-speculated-array-indexof.js: Added.
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupArrayIndexOf):
Canonical link: https://commits.webkit.org/252432.1031@safari-7614-branch
Canonical link: https://commits.webkit.org/262250@main
More information about the webkit-changes
mailing list