[Webkit-unassigned] [Bug 116593] New: Use uninitialized register in "JIT::emit_op_neq_null" and "emit_op_eq_null"
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 21 23:26:53 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=116593
Summary: Use uninitialized register in "JIT::emit_op_neq_null"
and "emit_op_eq_null"
Product: WebKit
Version: 528+ (Nightly build)
Platform: Other
OS/Version: Other
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: peter.wang at torchmobile.com.cn
In JITOpcodes32_64.cpp:794 and JITOpcodes32_64.cpp:825, a statement
loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
uses uninitialized register.This mistake will cause random crush.
My port is based on ARMv7, repeatedly invoking following js code will cause crush:
----------------------------------------------------------------------------
function crush()
{
return (document.all!=null && b);
}
----------------------------------------------------------------------------
The gdb output
----------------------------------------------------------------------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to pid 38916178 tid 3 name "webkit_main"]
0x79697bf4 in ?? ()
(gdb) bt
#0 0x79697bf4 in ?? ()
#1 0x79697c74 in ?? ()
#2 0x79697c74 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/50i 0x79697bc4
0x79697bc4: adds r3, #90 ; 0x5a
0x79697bc6: str r0, [r3, #0]
0x79697bc8: movw r3, #31220
0x79697bcc: movt r3, #31578
0x79697bd0: str r1, [r3, #0]
0x79697bd2: str r0, [r5, #0] // Following instructions are generated by "emit_op_neq_null"
0x79697bd4: str r1, [r5, #4]
0x79697bd6: cmn.w r1, #5
0x79697bda: bne.n 0x79697c00
0x79697bdc: ldr r1, [r0, #0]
0x79697bde: ldrb.w r3, [r1, #53]
0x79697be2: tst.w r3, #1
0x79697be6: bne.n 0x79697bec
0x79697be8: movs r1, #1
0x79697bea: b.n 0x79697c16
0x79697bec: movw r0, #61496
0x79697bf0: movt r0, #31128
=> 0x79697bf4: ldr r2, [r2, #4] // Generated by JITOpcodes32_64.cpp:825
0x79697bf6: cmp r0, r2
(gdb) p/x $r2 // The content of r2 is an invalid address
$1 = 0xfffffffb
----------------------------------------------------------------------------
Dumped bytecode
----------------------------------------------------------------------------
Source: function IsFilterNeeded() { return (document.all!=null && b); }
[ 0] enter
[ 1] resolve r1, document(@id0), 2067299048
[ 6] get_by_id r0, r1, all(@id1)
[ 15] neq_null r0, r0
[ 18] jfalse r0, 8(->26)
[ 21] resolve r0, b(@id2), 2067299060
[ 26] ret r0
Identifiers:
id0 = document
id1 = all
id2 = b
----------------------------------------------------------------------------
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list