[Webkit-unassigned] [Bug 70691] New: BitVector isInline check could fail
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Oct 23 05:16:56 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=70691
Summary: BitVector isInline check could fail
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: yuqiang.xian at intel.com
CC: barraclough at apple.com, fpizlo at apple.com
Current BitVector uses the highest bit m_bitsOrPointer to indicate whether it's an inlined bit set or a pointer to an outOfLine bit set. This check may fail in case the pointer is also has the highest bit set, which is surely possible on IA32 (Linux). In this case the check failure can result in unexpected behaviors, for example if the BitVector is incorrectly determined as having an inlined bit set, then setting a bit exceeding maxInlineBits will wrongly modify the memory adjacent to the BitVector object, which causes hard-to-rootcause runtime errors, such as the failure of 32bit DFG Release build on Linux w/ the function inlining capability, where in DFGByteCodeParser, the bit set on m_preservedVars wrongly modifies the adjacent memory (&m_parameterSlots).
One possible fix is to use the lowest bit of m_bitsOrPointer to indicate inline or outofline, based on the assumption that the pointer to OutOfLineBits should be 4 or 8 byte aligned (please correct me if we can safely make this assumption). We could mark the lowest bit (bit 0) with 1 for inlined bit set, and bits 1~bitsInPointer are used for bit set/test. In this case we need do one bit more shift for bit set/test.
Patch is forthcoming, while are there any better ideas...?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list