[Webkit-unassigned] [Bug 229235] REGRESSION(r??????): Crash in JSC::FTL::saveAllRegisters
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 24 02:35:31 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=229235
--- Comment #10 from Zan Dobersek <zan at falconsigh.net> ---
With GCC 10, when an OOB assert is placed in Bitmap<>::get(), it's triggered later in FTL::saveAllRegisters(), when saving all the FPR registers. When passing the MacroAssembler::lastRegister() value to Regs::nextFPRegister(), this method immediately collects the index value of the next FP register, which ends up being 32, which causes access beyond the bounds of Bitmap's std::array<>.
An additional check in Regs::nextFPRegister() would fix that:
```
while (next <= MacroAssembler::lastFPRegister() && special.get(next))
next = MacroAssembler::nextFPRegister(next);
```
But this doesn't exactly match the backtraces.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210824/8a5d7d5d/attachment.htm>
More information about the webkit-unassigned
mailing list