Title: [235161] trunk/Source/_javascript_Core
- Revision
- 235161
- Author
- [email protected]
- Date
- 2018-08-21 22:05:08 -0700 (Tue, 21 Aug 2018)
Log Message
[JSC] HeapUtil should care about pointer overflow
https://bugs.webkit.org/show_bug.cgi?id=188740
Reviewed by Saam Barati.
`pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235160 => 235161)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-22 05:02:56 UTC (rev 235160)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-22 05:05:08 UTC (rev 235161)
@@ -1,3 +1,17 @@
+2018-08-20 Yusuke Suzuki <[email protected]>
+
+ [JSC] HeapUtil should care about pointer overflow
+ https://bugs.webkit.org/show_bug.cgi?id=188740
+
+ Reviewed by Saam Barati.
+
+ `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
+ For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
+ with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
+
+ * heap/HeapUtil.h:
+ (JSC::HeapUtil::findGCObjectPointersForMarking):
+
2018-08-19 Yusuke Suzuki <[email protected]>
[JSC] Should not rotate constant with 64
Modified: trunk/Source/_javascript_Core/heap/HeapUtil.h (235160 => 235161)
--- trunk/Source/_javascript_Core/heap/HeapUtil.h 2018-08-22 05:02:56 UTC (rev 235160)
+++ trunk/Source/_javascript_Core/heap/HeapUtil.h 2018-08-22 05:05:08 UTC (rev 235161)
@@ -84,7 +84,7 @@
// It's possible for a butterfly pointer to point past the end of a butterfly. Check this now.
if (pointer <= bitwise_cast<char*>(candidate) + sizeof(IndexingHeader)) {
// We may be interested in the last cell of the previous MarkedBlock.
- char* previousPointer = pointer - sizeof(IndexingHeader) - 1;
+ char* previousPointer = bitwise_cast<char*>(bitwise_cast<uintptr_t>(pointer) - sizeof(IndexingHeader) - 1);
MarkedBlock* previousCandidate = MarkedBlock::blockFor(previousPointer);
if (!filter.ruleOut(bitwise_cast<Bits>(previousCandidate))
&& set.contains(previousCandidate)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
