[Webkit-unassigned] [Bug 65128] New: DFG JIT bytecode parser misuses pointers into objects allocated as part of a WTF::Vector
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 25 13:17:13 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65128
Summary: DFG JIT bytecode parser misuses pointers into objects
allocated as part of a WTF::Vector
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG JIT bytecode parser gets a reference to a DFGNode in the DFGGraph, which is a subtype of WTF::Vector<DFGNode, 64>. It then adds to the graph, and after adding to it, uses the reference several times, and while potentially adding to the graph again. Adding to the graph means adding to the Vector, which in turn means that the Vector may resize its backing store. When the backing store is resized, the old reference to the DFGNode in the Vector may become a dangling reference and subsequent uses may either corrupt memory, crash, or otherwise do bad things. The DFG bytecode parser should not keep references to the innards of Vector alive after the Vector has been resized.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list