Title: [283639] branches/safari-612.2.9.1-branch/Source/_javascript_Core
- Revision
- 283639
- Author
- [email protected]
- Date
- 2021-10-06 11:28:32 -0700 (Wed, 06 Oct 2021)
Log Message
Cherry-pick r283632. rdar://problem/83943156
Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
https://bugs.webkit.org/show_bug.cgi?id=231252
rdar://83310320
Reviewed by Yusuke Suzuki.
We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
Adding a null check here as a speculative fix to mitigate crashes while we
investigate further.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283632 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-612.2.9.1-branch/Source/_javascript_Core/ChangeLog (283638 => 283639)
--- branches/safari-612.2.9.1-branch/Source/_javascript_Core/ChangeLog 2021-10-06 18:17:38 UTC (rev 283638)
+++ branches/safari-612.2.9.1-branch/Source/_javascript_Core/ChangeLog 2021-10-06 18:28:32 UTC (rev 283639)
@@ -1,3 +1,40 @@
+2021-10-06 Russell Epstein <[email protected]>
+
+ Cherry-pick r283632. rdar://problem/83943156
+
+ Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
+ https://bugs.webkit.org/show_bug.cgi?id=231252
+ rdar://83310320
+
+ Reviewed by Yusuke Suzuki.
+
+ We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
+ Adding a null check here as a speculative fix to mitigate crashes while we
+ investigate further.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::handlePutByVal):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283632 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-06 Mark Lam <[email protected]>
+
+ Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal.
+ https://bugs.webkit.org/show_bug.cgi?id=231252
+ rdar://83310320
+
+ Reviewed by Yusuke Suzuki.
+
+ We're seeing a null pointer dereference in ByteCodeParser::handlePutByVal().
+ Adding a null check here as a speculative fix to mitigate crashes while we
+ investigate further.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::handlePutByVal):
+
2021-10-05 Russell Epstein <[email protected]>
Cherry-pick r283556. rdar://problem/83900153
Modified: branches/safari-612.2.9.1-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (283638 => 283639)
--- branches/safari-612.2.9.1-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2021-10-06 18:17:38 UTC (rev 283638)
+++ branches/safari-612.2.9.1-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2021-10-06 18:28:32 UTC (rev 283639)
@@ -6482,7 +6482,9 @@
FrozenValue* frozen = m_graph.freezeStrong(symbol);
addToGraph(CheckIsConstant, OpInfo(frozen), property);
} else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
- if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
+ auto* impl = string->tryGetValueImpl();
+ ASSERT(impl); // FIXME: rdar://83902782
+ if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
uid = bitwise_cast<UniquedStringImpl*>(impl);
propertyCell = string;
m_graph.freezeStrong(string);
@@ -8876,7 +8878,9 @@
FrozenValue* frozen = m_graph.freezeStrong(symbol);
addToGraph(CheckIsConstant, OpInfo(frozen), property);
} else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
- if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
+ auto* impl = string->tryGetValueImpl();
+ ASSERT(impl); // FIXME: rdar://83902782
+ if (impl && impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
uid = bitwise_cast<UniquedStringImpl*>(impl);
propertyCell = string;
m_graph.freezeStrong(string);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
