[Webkit-unassigned] [Bug 65128] DFG JIT bytecode parser misuses pointers into objects allocated as part of a WTF::Vector
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 25 14:47:33 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65128
--- Comment #5 from Filip Pizlo <fpizlo at apple.com> 2011-07-25 14:47:33 PST ---
(In reply to comment #4)
> (From update of attachment 101900 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=101900&action=review
>
> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1211
> > + phiNode = m_graph[entry.m_phi]; // reload after vector resize
>
> This won’t do what you think it does!
>
> It will copy the value from the new memory location into the old memory location.
>
> You can’t re-point a reference to a new address with an assignment statement.
Good catch! Fix on the way...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list