[Webkit-unassigned] [Bug 160870] New: Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 15 15:28:14 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=160870

            Bug ID: 160870
           Summary: Member call on NULL pointer in
                    JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jbedard at apple.com

In a few cases (js/regress/simple-regexp-exec-folding.html, for example) forAllTransitiveIncomingValues in PhiChildren (JavaScriptCore/dfg/DFGPhiChildren.h) is called from a NULL pointer.  Because of the current implementation of forAllTransitiveIncomingValues, this does not currently cause a crash.  It is, however, an obvious bug, especially because in another case, the caller checks the PhiChildren pointer before calling this function.

NULL pointer: JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h line 1997
Analogous call: JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h line 2273

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160815/860bcb1e/attachment.html>

More information about the webkit-unassigned mailing list