[Webkit-unassigned] [Bug 140743] New: BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 21 14:46:39 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=140743
Bug ID: 140743
Summary: BytecodeGenerator::initializeCapturedVariable() sets a
misleading value for the 5th operand of
op_put_to_scope
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
Steps to reproduce:
1. Go to https://bugreport.apple.com/problem/viewproblem?problemID=18702537
2. Log in.
BytecodeGenerator::initializeCapturedVariable() is setting the 5th operand to op_put_to_scope to an inappropriate value. As a result, the execution of put_to_scope could store a wrong inferred value into the VariableWatchpointSet for which ever captured variable is at local index 0. In practice, this turns out to be the local for the Arguments object. In this example, the wrong inferred value written there is the boolean true.
Subsequently, DFG compilation occurs and CreateArguments is emitted to first do a check of the local for the Arguments object. But because that local has a wrong inferred value, the check always discovers a non-null value and we never actually create the Arguments object. Immediately after this, an OSR exit occurs leaving the Arguments object local uninitialized. Later on at arguments tear off, we run into a boolean true where we had expected to find an Arguments object, which in turn, leads to the crash.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150121/200a9a5b/attachment-0002.html>
More information about the webkit-unassigned
mailing list