[webkit-reviews] review denied: [Bug 65128] DFG JIT bytecode parser misuses pointers into objects allocated as part of a WTF::Vector : [Attachment 101900] the patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 25 14:46:48 PDT 2011
Darin Adler <darin at apple.com> has denied review:
Bug 65128: DFG JIT bytecode parser misuses pointers into objects allocated as
part of a WTF::Vector
https://bugs.webkit.org/show_bug.cgi?id=65128
Attachment 101900: the patch
https://bugs.webkit.org/attachment.cgi?id=101900&action=review
------- Additional Comments from Darin Adler <darin at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=101900&action=review
> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1211
> + phiNode = m_graph[entry.m_phi]; // reload after vector resize
This won’t do what you think it does!
It will copy the value from the new memory location into the old memory
location.
You can’t re-point a reference to a new address with an assignment statement.
More information about the webkit-reviews
mailing list