Diff
Modified: trunk/LayoutTests/ChangeLog (189045 => 189046)
--- trunk/LayoutTests/ChangeLog 2015-08-27 19:36:02 UTC (rev 189045)
+++ trunk/LayoutTests/ChangeLog 2015-08-27 19:40:09 UTC (rev 189046)
@@ -1,3 +1,15 @@
+2015-08-27 Basile Clement <[email protected]>
+
+ REGRESSION(r184779): Possible read-after-free in _javascript_Core/dfg/DFGClobberize.h
+ https://bugs.webkit.org/show_bug.cgi?id=148411
+
+ Reviewed by Geoffrey Garen and Filip Pizlo.
+
+ * js/regress-148411-expected.txt: Added.
+ * js/regress-148411.html: Added.
+ * js/script-tests/regress-148411.js: Added.
+ (foo):
+
2015-08-27 Nan Wang <[email protected]>
AX: Remove accessibility/mac/change-notification-on-scroll.html test
Added: trunk/LayoutTests/js/regress-148411-expected.txt (0 => 189046)
--- trunk/LayoutTests/js/regress-148411-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-148411-expected.txt 2015-08-27 19:40:09 UTC (rev 189046)
@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/148411. This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-148411.html (0 => 189046)
--- trunk/LayoutTests/js/regress-148411.html (rev 0)
+++ trunk/LayoutTests/js/regress-148411.html 2015-08-27 19:40:09 UTC (rev 189046)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-148411.js (0 => 189046)
--- trunk/LayoutTests/js/script-tests/regress-148411.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-148411.js 2015-08-27 19:40:09 UTC (rev 189046)
@@ -0,0 +1,12 @@
+description(
+"Regression test for https://webkit.org/b/148411. This test should not crash."
+);
+
+function foo()
+{
+ [5, 6, 7, 8];
+ [100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114];
+}
+
+for (var i = 0; i < 100000; ++i)
+ foo();
Modified: trunk/Source/_javascript_Core/ChangeLog (189045 => 189046)
--- trunk/Source/_javascript_Core/ChangeLog 2015-08-27 19:36:02 UTC (rev 189045)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-08-27 19:40:09 UTC (rev 189046)
@@ -1,3 +1,13 @@
+2015-08-27 Basile Clement <[email protected]>
+
+ REGRESSION(r184779): Possible read-after-free in _javascript_Core/dfg/DFGClobberize.h
+ https://bugs.webkit.org/show_bug.cgi?id=148411
+
+ Reviewed by Geoffrey Garen and Filip Pizlo.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
2015-08-27 Brian Burg <[email protected]>
Web Inspector: FrontendChannel should know its own connection type
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (189045 => 189046)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2015-08-27 19:36:02 UTC (rev 189045)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2015-08-27 19:40:09 UTC (rev 189046)
@@ -905,6 +905,7 @@
if (operandIdx >= numElements)
continue;
Edge use = graph.m_varArgChildren[node->firstChild() + operandIdx];
+ // operandIdx comes from graph.m_uint32ValuesInUse and thus is guaranteed to be already frozen
def(HeapLocation(IndexedPropertyLoc, heap, node, LazyNode(graph.freeze(jsNumber(operandIdx)))),
LazyNode(use.node()));
}
@@ -947,9 +948,13 @@
LazyNode(graph.freeze(data[index]), op));
}
} else {
+ Vector<uint32_t> possibleIndices;
for (uint32_t index : graph.m_uint32ValuesInUse) {
if (index >= numElements)
continue;
+ possibleIndices.append(index);
+ }
+ for (uint32_t index : possibleIndices) {
def(HeapLocation(IndexedPropertyLoc, heap, node, LazyNode(graph.freeze(jsNumber(index)))),
LazyNode(graph.freeze(data[index]), op));
}
