[Webkit-unassigned] [Bug 223896] UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool'
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 29 18:21:35 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=223896
Darin Adler <darin at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |darin at apple.com
--- Comment #3 from Darin Adler <darin at apple.com> ---
The issue is that parseString does not set the escaped flag, but parseIdentifier does. When the token is an actual STRING, the escaped flag is uninitialized. Only when wasIdent is set to true and we either fall through to this case or use "goto namedProperty" to join the code in this case is the escaped flag properly initialized.
The code doesn’t actually look at the escaped flag unless wasIdent is true, so the issue is really how the code is structured. The smallest possible fix is probably this:
bool escaped = wasIdent && m_token.m_data.escaped;
But there are probably many other ways to rearrange the code to avoid the reliance on undefined behavior.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210330/bce013a5/attachment-0001.htm>
More information about the webkit-unassigned
mailing list