| Summary: | Undefined behavior in FunctionExecutable::lastLine() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
UnlinkedFunctionExecutable::m_lineCount is declared like so:
```
unsigned m_lineCount : 31;
```
It gets initialized like so:
```
, m_lineCount(node->lastLine() - node->firstLine())
```
Node::firstLine() is declared like so:
```
int firstLine() const { return m_position.line; }
```
JSTextPosition()'s default constructor initializes its default data members to -1:
```
// FIXME: these should be unsigned.
int line { -1 };
int offset { -1 };
int lineStartOffset { -1 };
```
|
Undefined behavior in FunctionExecutable::lastLine() when running media/modern-media-controls/pip-support/pip-support-click.html with UBSan: ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Volumes/Work/WebKit/OpenSource/WebKitBuild/Release/DerivedSources/JavaScriptCore/BytecodeStructs.h:16853:71 in runtime/FunctionExecutable.h:208:28: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' ``` Code looks like: ``` int lastLine() const { return firstLine() + lineCount(); } ``` Looks to me that lineCount() returns either an uninitialized value or -1 that was casted to an unsigned type.