[Webkit-unassigned] [Bug 20340] New: SegmentedVector segment allocations can lead to unsafe use of temporary registers
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Aug 10 01:27:51 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20340
Summary: SegmentedVector segment allocations can lead to unsafe
use of temporary registers
Product: WebKit
Version: 526+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: cwzwarich at uwaterloo.ca
CC: mjs at apple.com, ggaren at apple.com, oliver at apple.com,
chrisb at adobe.com
In many emitCode() methods for Node subclasses, there is code that looks like
this:
RegisterID* temp = ...
return generator.emitOpcode(generator.finalDestination(dst), temp, ...);
If temp points at the first RegisterID in a segment of the SegmentedVector
containing the RegisterIDs, then generator.finalDestination(dst) may free that
RegisterID, deallocate the segment, then allocate a new segment and return the
first RegisterID in that segment. However, temp is still passed as an argument
to generator.emitOpcode(), so this is potentially unsafe if the new segment is
not allocated in the same place as the old segment.
This was first mentioned by Chris Brichford on the webkit-dev mailing list:
https://lists.webkit.org/pipermail/webkit-dev/2008-July/004533.html
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list