[webkit-changes] [224916] trunk/Source/JavaScriptCore

Thu, 16 Nov 2017 07:08:32 -0800

Title: [224916] trunk/Source/_javascript_Core
Revision
224916
Author
[email protected]
Date
2017-11-16 07:08:10 -0800 (Thu, 16 Nov 2017)

Log Message

Fix null pointer dereference in bytecodeDumper
https://bugs.webkit.org/show_bug.cgi?id=179764

Reviewed by Mark Lam.

The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().

* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printCallOp):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (224915 => 224916)


--- trunk/Source/_javascript_Core/ChangeLog	2017-11-16 15:04:37 UTC (rev 224915)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-16 15:08:10 UTC (rev 224916)
@@ -1,5 +1,17 @@
 2017-11-16  Robin Morisset  <[email protected]>
 
+        Fix null pointer dereference in bytecodeDumper
+        https://bugs.webkit.org/show_bug.cgi?id=179764
+
+        Reviewed by Mark Lam.
+
+        The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper<Block>::printCallOp):
+
+2017-11-16  Robin Morisset  <[email protected]>
+
         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
         https://bugs.webkit.org/show_bug.cgi?id=179763
         <rdar://problem/35550513>

Modified: trunk/Source/_javascript_Core/bytecode/BytecodeDumper.cpp (224915 => 224916)


--- trunk/Source/_javascript_Core/bytecode/BytecodeDumper.cpp	2017-11-16 15:04:37 UTC (rev 224915)
+++ trunk/Source/_javascript_Core/bytecode/BytecodeDumper.cpp	2017-11-16 15:08:10 UTC (rev 224916)
@@ -586,11 +586,13 @@
         }
 #if ENABLE(JIT)
         if (CallLinkInfo* info = map.get(CodeOrigin(location))) {
-            JSObject* object = info->lastSeenCallee();
-            if (auto* function = jsDynamicCast<JSFunction*>(*vm(), object))
-                out.printf(" jit(%p, exec %p)", function, function->executable());
-            else
-                out.printf(" jit(%p)", object);
+            if (info->haveLastSeenCallee()) {
+                JSObject* object = info->lastSeenCallee();
+                if (auto* function = jsDynamicCast<JSFunction*>(*vm(), object))
+                    out.printf(" jit(%p, exec %p)", function, function->executable());
+                else
+                    out.printf(" jit(%p)", object);
+            }
         }
 
         dumpCallLinkStatus(out, location, map);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to