[Webkit-unassigned] [Bug 146807] New: SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.

Thu Jul 9 14:01:58 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=146807

            Bug ID: 146807
           Summary: SymbolTable::entryFor() should do a bounds check
                    before indexing into the localToEntry vector.
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

When we capture an argument by name and we use "arguments", we put all of the arguments into the scope.  But destructured arguments are put into the scope anonymously i.e. the SymbolTable knows that the scope offset is in use via SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in SymbolTable::m_map.

The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will have a size which is based on the largest ScopeOffset in the m_map.  If we have a scenario where the anonymous argument is at a higher ScopeOffset than all the named arguments, then the m_localsToEntry will not have an entry for it i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of the anonymous argument.

Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is within the bounds of the m_localToEntry vector before indexing into it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150709/7b25a588/attachment.html>