[Webkit-unassigned] [Bug 146807] New: SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 9 14:01:58 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=146807
Bug ID: 146807
Summary: SymbolTable::entryFor() should do a bounds check
before indexing into the localToEntry vector.
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
When we capture an argument by name and we use "arguments", we put all of the arguments into the scope. But destructured arguments are put into the scope anonymously i.e. the SymbolTable knows that the scope offset is in use via SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in SymbolTable::m_map.
The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will have a size which is based on the largest ScopeOffset in the m_map. If we have a scenario where the anonymous argument is at a higher ScopeOffset than all the named arguments, then the m_localsToEntry will not have an entry for it i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of the anonymous argument.
Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is within the bounds of the m_localToEntry vector before indexing into it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150709/7b25a588/attachment.html>
More information about the webkit-unassigned
mailing list