[Webkit-unassigned] [Bug 249064] New: Web Inspector: Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 9 19:50:13 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=249064
Bug ID: 249064
Summary: Web Inspector: Fix use-after-move in
Inspector::InspectorDebuggerAgent::didCreateNativeExec
utable()
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: Web Inspector
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ddkilzer at webkit.org
CC: inspector-bugzilla-changes at group.apple.com,
pangle at apple.com
Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable() in Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp.
There are two places where `oldJITCodeRef` is used after being moved in a RELEASE_ASSERT() statement.
```
[...]
switch (kind) {
case JSC::CodeForCall:
ASSERT(!replacedThunk->callThunk);
replacedThunk->callThunk = WTFMove(oldJITCodeRef);
ASSERT(!replacedThunk->callArityThunk);
replacedThunk->callArityThunk = WTFMove(oldArityJITCodeRef);
RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeCall(vm)).code()); // Use-after-move of `oldJITCodeRef`.
break;
case JSC::CodeForConstruct:
ASSERT(!replacedThunk->constructThunk);
replacedThunk->constructThunk = WTFMove(oldJITCodeRef);
ASSERT(!replacedThunk->constructArityThunk);
replacedThunk->constructArityThunk = WTFMove(oldArityJITCodeRef);
RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeConstruct(vm)).code()); // Use-after-move of `oldJITCodeRef`.
break;
}
[...]
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221210/040f22c3/attachment-0001.htm>
More information about the webkit-unassigned
mailing list