[Webkit-unassigned] [Bug 109836] New: [JIT] Memory overwrite by Math object functions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 14 08:13:19 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=109836

           Summary: [JIT] Memory overwrite by Math object functions
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: w.bielawski at samsung.com


Created an attachment (id=188355)
 --> (https://bugs.webkit.org/attachment.cgi?id=188355&action=review)
Callstack of memory overwrite issue

Below functions of Math object causes memory overwrite for big numbers (greater than 2^31) on 32bit platforms (i386, arm)
abs()
ceil()
exp()
floor()
log()
round()
sqrt()

Valgrind reports:

==32656== Thread 1:
==32656== Invalid write of size 8
==32656==    at 0x804142B: ???
==32656==    by 0x56E30E9: JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (in /home/wojtek/Projekty/webkit/webkit.org/WebKit/WebKitBuild/Release/lib/libewebkit2.so.0.1.0)
==32656==    by 0x570F58D: JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) (in /home/wojtek/Projekty/webkit/webkit.org/WebKit/WebKitBuild/Release/lib/libewebkit2.so.0.1.0)
==32656==    by 0x4C0F210: WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) (in /home/wojtek/Projekty/webkit/webkit.org/WebKit/WebKitBuild/Release/lib/libewebkit2.so.0.1.0)
==32656==    by 0xA4A44B7: ???
==32656==  Address 0xbeb95b44 is just below the stack ptr.  To suppress, use: --workaround-gcc296-bugs=yes

Full gdb backtrace attached.

The issue is not reproducible when JIT is disabled.

Example JavaScript code that causes memory overwrite:
<script>
var x = Math.floor(100000000000000000000000000000000000000000);
</script>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list