[Webkit-unassigned] [Bug 258757] New: Undefined behavior in FunctionExecutable::lastLine()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 30 16:40:21 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=258757
Bug ID: 258757
Summary: Undefined behavior in FunctionExecutable::lastLine()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: cdumez at apple.com
CC: mark.lam at apple.com
Undefined behavior in FunctionExecutable::lastLine() when running media/modern-media-controls/pip-support/pip-support-click.html with UBSan:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Volumes/Work/WebKit/OpenSource/WebKitBuild/Release/DerivedSources/JavaScriptCore/BytecodeStructs.h:16853:71 in
runtime/FunctionExecutable.h:208:28: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
```
Code looks like:
```
int lastLine() const
{
return firstLine() + lineCount();
}
```
Looks to me that lineCount() returns either an uninitialized value or -1 that was casted to an unsigned type.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230630/f8d4843c/attachment.htm>
More information about the webkit-unassigned
mailing list