[Webkit-unassigned] [Bug 160870] Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Aug 20 21:51:38 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160870
--- Comment #11 from Saam Barati <sbarati at apple.com> ---
(In reply to comment #9)
> A quick update on Daren's request: This is going to be a very difficult
> change to test. The most obvious way would be to integrate undefined
> behavior sanitizer into our testing infrastructure, although this is many
> months off if it will happen at all.
>
> The other method of testing would be construct a test which would crash
> without this change. While this is likely possible, it's unclear to me what
> such a test would like like. While attempting to construct a test which
> would crash without this change, I discovered that it really only seems to
> be js/regress/simple-regexp-exec-folding.html which exhibits the bug, but
> even this test will not always exhibit this error (most notably, is the
> number of iterations through the loop is decreased, the error will no longer
> occur).
So there is a test where we call this function on a nullptr?
If so, why don't we crash? Does that function not load any fields?
If not, I'm a bit confused as to what your explanation for needing this
check is. I'm not too familiar about which states this particular field can be null in,
but there are other places where we allow for null in a pointer field,
but later access it without a null check because other conditions
being true imply that the field is non-null. (This may or may not
be the case here).
>
> If uncovering the precise code path which triggers this bug is important, I
> can continue to investigate. However, I don't think continued investigation
> is worthwhile, as an analogous case in forAllTransitiveIncomingValues
> preforms this check.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160821/a0289d0b/attachment.html>
More information about the webkit-unassigned
mailing list