[webkit-changes] [WebKit/WebKit] ba5c34: array.new_elem should check element segment before...

Commit Queue noreply at github.com
Wed Dec 11 13:07:05 PST 2024


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ba5c342c3a60b562dca9a2d61208f04c074a7747
      https://github.com/WebKit/WebKit/commit/ba5c342c3a60b562dca9a2d61208f04c074a7747
  Author: Daniel Liu <daniel_liu4 at apple.com>
  Date:   2024-12-11 (Wed, 11 Dec 2024)

  Changed paths:
    M Source/JavaScriptCore/wasm/WasmOperationsInlines.h

  Log Message:
  -----------
  array.new_elem should check element segment before accessing type
https://bugs.webkit.org/show_bug.cgi?id=283398
rdar://140253586

Reviewed by Keith Miller and Yusuke Suzuki.

If we have an empty element segment, the type will be nullptr. However,
arrayNewElem does not check this before accessing its type, leading to
a segfault. This can be resolved by conditioning this path only if we
know the element is not empty.

* JSTests/wasm/stress/array-new-dropped-elem.js: Added.
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::arrayNewElem):

Canonical link: https://commits.webkit.org/287691@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications


More information about the webkit-changes mailing list