[webkit-changes] [WebKit/WebKit] ba5c34: array.new_elem should check element segment before...
Commit Queue
noreply at github.com
Wed Dec 11 13:07:05 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ba5c342c3a60b562dca9a2d61208f04c074a7747
https://github.com/WebKit/WebKit/commit/ba5c342c3a60b562dca9a2d61208f04c074a7747
Author: Daniel Liu <daniel_liu4 at apple.com>
Date: 2024-12-11 (Wed, 11 Dec 2024)
Changed paths:
M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
Log Message:
-----------
array.new_elem should check element segment before accessing type
https://bugs.webkit.org/show_bug.cgi?id=283398
rdar://140253586
Reviewed by Keith Miller and Yusuke Suzuki.
If we have an empty element segment, the type will be nullptr. However,
arrayNewElem does not check this before accessing its type, leading to
a segfault. This can be resolved by conditioning this path only if we
know the element is not empty.
* JSTests/wasm/stress/array-new-dropped-elem.js: Added.
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::arrayNewElem):
Canonical link: https://commits.webkit.org/287691@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list