Title: [118262] trunk/Source/_javascript_Core
- Revision
- 118262
- Author
- [email protected]
- Date
- 2012-05-23 16:12:59 -0700 (Wed, 23 May 2012)
Log Message
Use after free in JSC::DFG::ByteCodeParser::processPhiStack
https://bugs.webkit.org/show_bug.cgi?id=87312
<rdar://problem/11518848>
Reviewed by Oliver Hunt.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::processPhiStack):
(JSC::DFG::ByteCodeParser::parse):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (118261 => 118262)
--- trunk/Source/_javascript_Core/ChangeLog 2012-05-23 23:06:30 UTC (rev 118261)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-05-23 23:12:59 UTC (rev 118262)
@@ -1,5 +1,17 @@
2012-05-23 Filip Pizlo <[email protected]>
+ Use after free in JSC::DFG::ByteCodeParser::processPhiStack
+ https://bugs.webkit.org/show_bug.cgi?id=87312
+ <rdar://problem/11518848>
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::processPhiStack):
+ (JSC::DFG::ByteCodeParser::parse):
+
+2012-05-23 Filip Pizlo <[email protected]>
+
It should be possible to make C function calls from DFG code on ARM in debug mode
https://bugs.webkit.org/show_bug.cgi?id=87313
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (118261 => 118262)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2012-05-23 23:06:30 UTC (rev 118261)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2012-05-23 23:12:59 UTC (rev 118262)
@@ -2493,11 +2493,14 @@
void ByteCodeParser::processPhiStack()
{
Vector<PhiStackEntry, 16>& phiStack = (stackType == ArgumentPhiStack) ? m_argumentPhiStack : m_localPhiStack;
-
+
while (!phiStack.isEmpty()) {
PhiStackEntry entry = phiStack.last();
phiStack.removeLast();
+ if (!entry.m_block->isReachable)
+ continue;
+
PredecessorList& predecessors = entry.m_block->m_predecessors;
unsigned varNo = entry.m_varNo;
VariableAccessData* dataForPhi = m_graph[entry.m_phi].variableAccessData();
@@ -2505,7 +2508,7 @@
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
dataLog(" Handling phi entry for var %u, phi @%u.\n", entry.m_varNo, entry.m_phi);
#endif
-
+
for (size_t i = 0; i < predecessors.size(); ++i) {
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
dataLog(" Dealing with predecessor block %u.\n", predecessors[i]);
@@ -2930,12 +2933,6 @@
linkBlocks(inlineStackEntry.m_unlinkedBlocks, inlineStackEntry.m_blockLinkingTargets);
m_graph.determineReachability();
- for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
- BasicBlock* block = m_graph.m_blocks[blockIndex].get();
- ASSERT(block);
- if (!block->isReachable)
- m_graph.m_blocks[blockIndex].clear();
- }
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
dataLog("Processing local variable phis.\n");
#endif
@@ -2948,6 +2945,13 @@
#endif
processPhiStack<ArgumentPhiStack>();
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ ASSERT(block);
+ if (!block->isReachable)
+ m_graph.m_blocks[blockIndex].clear();
+ }
+
fixVariableAccessPredictions();
m_graph.m_preservedVars = m_preservedVars;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
