Title: [288235] releases/WebKitGTK/webkit-2.34/Source/_javascript_Core
- Revision
- 288235
- Author
- [email protected]
- Date
- 2022-01-19 13:17:54 -0800 (Wed, 19 Jan 2022)
Log Message
Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
https://bugs.webkit.org/show_bug.cgi?id=231252
rdar://83310320
Reviewed by Yusuke Suzuki.
We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
Adding a null check here as a speculative fix to mitigate crashes while we
investigate further.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog (288234 => 288235)
--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog 2022-01-19 20:43:30 UTC (rev 288234)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog 2022-01-19 21:17:54 UTC (rev 288235)
@@ -1,3 +1,19 @@
+2021-10-06 Mark Lam <[email protected]>
+
+ Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
+ https://bugs.webkit.org/show_bug.cgi?id=231252
+ rdar://83310320
+
+ Reviewed by Yusuke Suzuki.
+
+ We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
+ Adding a null check here as a speculative fix to mitigate crashes while we
+ investigate further.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::handlePutByVal):
+
2021-10-20 Justin Michaud <[email protected]>
We should watch isHavingABadTime if we read from the structureCache
Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (288234 => 288235)
--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2022-01-19 20:43:30 UTC (rev 288234)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2022-01-19 21:17:54 UTC (rev 288235)
@@ -6482,7 +6482,9 @@
FrozenValue* frozen = m_graph.freezeStrong(symbol);
addToGraph(CheckIsConstant, OpInfo(frozen), property);
} else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
- if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
+ auto* impl = string->tryGetValueImpl();
+ ASSERT(impl); // FIXME: rdar://83902782
+ if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
uid = bitwise_cast<UniquedStringImpl*>(impl);
propertyCell = string;
m_graph.freezeStrong(string);
@@ -8864,7 +8866,9 @@
FrozenValue* frozen = m_graph.freezeStrong(symbol);
addToGraph(CheckIsConstant, OpInfo(frozen), property);
} else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
- if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
+ auto* impl = string->tryGetValueImpl();
+ ASSERT(impl); // FIXME: rdar://83902782
+ if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
uid = bitwise_cast<UniquedStringImpl*>(impl);
propertyCell = string;
m_graph.freezeStrong(string);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
