WebKit Bugzilla
Attachment 347089 Details for
Bug 188560
: [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188560-20180815023705.patch (text/plain), 1.66 KB, created by
Yusuke Suzuki
on 2018-08-14 10:37:07 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2018-08-14 10:37:07 PDT
Size:
1.66 KB
patch
obsolete
>Subversion Revision: 234853 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 044d26401f2cd7d8fa5a4a3756cab993ae85cdff..27fca47c0f9dcf51863853363d7b78d32d4a4e6f 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,17 @@ >+2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org> >+ >+ [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion >+ https://bugs.webkit.org/show_bug.cgi?id=188560 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT, >+ it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the >+ uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer >+ `m_wasSeenInJIT { false }`. >+ >+ * bytecode/GetByIdStatus.h: >+ > 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org> > > [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants >diff --git a/Source/JavaScriptCore/bytecode/GetByIdStatus.h b/Source/JavaScriptCore/bytecode/GetByIdStatus.h >index e057fb34caa16e0ef663cd3c096a11cb07fde0f9..56ff40e5c82fe989abbbf6972f4db5a153d4f0f0 100644 >--- a/Source/JavaScriptCore/bytecode/GetByIdStatus.h >+++ b/Source/JavaScriptCore/bytecode/GetByIdStatus.h >@@ -158,7 +158,7 @@ class GetByIdStatus { > > State m_state; > Vector<GetByIdVariant, 1> m_variants; >- bool m_wasSeenInJIT; >+ bool m_wasSeenInJIT { false }; > JSModuleNamespaceObject* m_moduleNamespaceObject { nullptr }; > JSModuleEnvironment* m_moduleEnvironment { nullptr }; > ScopeOffset m_scopeOffset { };
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=347089">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
keith_miller
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188560
: 347089