[webkit-changes] [114412] trunk/Source/JavaScriptCore

[fpizlo]

Title: [114412] trunk/Source/_javascript_Core

Revision

114412

Author

fpi...@apple.com

Date

2012-04-17 12:22:29 -0700 (Tue, 17 Apr 2012)

Log Message

use after free in JSC::DFG::Node::op / JSC::DFG::ByteCodeParser::flushArgument
https://bugs.webkit.org/show_bug.cgi?id=83942
<rdar://problem/11247370>

Reviewed by Gavin Barraclough.
        
Don't use references to the graph after resizing the graph.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushArgument):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (114411 => 114412)

--- trunk/Source/_javascript_Core/ChangeLog	2012-04-17 19:19:13 UTC (rev 114411)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-04-17 19:22:29 UTC (rev 114412)
@@ -1,3 +1,16 @@
+2012-04-17  Filip Pizlo  <fpi...@apple.com>
+
+        use after free in JSC::DFG::Node::op / JSC::DFG::ByteCodeParser::flushArgument
+        https://bugs.webkit.org/show_bug.cgi?id=83942
+        <rdar://problem/11247370>
+
+        Reviewed by Gavin Barraclough.
+        
+        Don't use references to the graph after resizing the graph.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flushArgument):
+
 2012-04-16  Gavin Barraclough  <barraclo...@apple.com>
 
         Array.prototype.toString should be generic

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (114411 => 114412)

--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2012-04-17 19:19:13 UTC (rev 114411)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2012-04-17 19:22:29 UTC (rev 114412)
@@ -371,8 +371,9 @@
             // Emit a Flush regardless of whether we already flushed it.
             // This gives us guidance to see that the variable also needs to be flushed
             // for arguments, even if it already had to be flushed for other reasons.
-            addToGraph(Flush, OpInfo(node.variableAccessData()), nodeIndex);
-            return node.variableAccessData();
+            VariableAccessData* variableAccessData = node.variableAccessData();
+            addToGraph(Flush, OpInfo(variableAccessData), nodeIndex);
+            return variableAccessData;
         }
         
         VariableAccessData* variableAccessData = newVariableAccessData(operand);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes