Undefined behavior in FunctionExecutable::lastLine() when running media/modern-media-controls/pip-support/pip-support-click.html with UBSan: ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Volumes/Work/WebKit/OpenSource/WebKitBuild/Release/DerivedSources/JavaScriptCore/BytecodeStructs.h:16853:71 in runtime/FunctionExecutable.h:208:28: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' ``` Code looks like: ``` int lastLine() const { return firstLine() + lineCount(); } ``` Looks to me that lineCount() returns either an uninitialized value or -1 that was casted to an unsigned type.
UnlinkedFunctionExecutable::m_lineCount is declared like so: ``` unsigned m_lineCount : 31; ``` It gets initialized like so: ``` , m_lineCount(node->lastLine() - node->firstLine()) ``` Node::firstLine() is declared like so: ``` int firstLine() const { return m_position.line; } ``` JSTextPosition()'s default constructor initializes its default data members to -1: ``` // FIXME: these should be unsigned. int line { -1 }; int offset { -1 }; int lineStartOffset { -1 }; ```
<rdar://problem/111933032>