[Webkit-unassigned] [Bug 65128] DFG JIT bytecode parser misuses pointers into objects allocated as part of a WTF::Vector
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 25 14:46:48 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65128
Darin Adler <darin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #101900|review+, commit-queue+ |review-, commit-queue-
Flag| |
--- Comment #4 from Darin Adler <darin at apple.com> 2011-07-25 14:46:48 PST ---
(From update of attachment 101900)
View in context: https://bugs.webkit.org/attachment.cgi?id=101900&action=review
> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1211
> + phiNode = m_graph[entry.m_phi]; // reload after vector resize
This won’t do what you think it does!
It will copy the value from the new memory location into the old memory location.
You can’t re-point a reference to a new address with an assignment statement.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list