Fix uninitialized access

When an identifier is made from an empty string, the constructor still
tries accessing the first character to populate a cache. This leads to
access of uninitialized data, and wrong data in the cache. This causes
no wrong behavior though except unuseful data in the cache.

Change-Id: Ice9f10b08306799b160f8b95b76bd056f29d228d
Reviewed-by: Michael Bruning <michael.bruning@digia.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/Source/JavaScriptCore/parser/ParserArena.h b/Source/JavaScriptCore/parser/ParserArena.h
index 45d4b158e..8d790c44c 100644
--- a/Source/JavaScriptCore/parser/ParserArena.h
+++ b/Source/JavaScriptCore/parser/ParserArena.h
@@ -71,6 +71,10 @@ namespace JSC {
     template <typename T>
     ALWAYS_INLINE const Identifier& IdentifierArena::makeIdentifier(VM* vm, const T* characters, size_t length)
     {
+        if (length == 0) {
+            m_identifiers.append(Identifier(Identifier::EmptyIdentifier));
+            return m_identifiers.last();
+        }
         if (characters[0] >= MaximumCachableCharacter) {
             m_identifiers.append(Identifier(vm, characters, length));
             return m_identifiers.last();
@@ -92,6 +96,10 @@ namespace JSC {
 
     ALWAYS_INLINE const Identifier& IdentifierArena::makeIdentifierLCharFromUChar(VM* vm, const UChar* characters, size_t length)
     {
+        if (length == 0) {
+            m_identifiers.append(Identifier(Identifier::EmptyIdentifier));
+            return m_identifiers.last();
+        }
         if (characters[0] >= MaximumCachableCharacter) {
             m_identifiers.append(Identifier::createLCharFromUChar(vm, characters, length));
             return m_identifiers.last();