WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
[patch]
proposed patch.
bug-179185.patch (text/plain), 4.74 KB, created by
Mark Lam
on 2017-11-02 20:20:08 PDT
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2017-11-02 20:20:08 PDT
Size:
4.74 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 224373) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,12 @@ >+2017-11-02 Mark Lam <mark.lam@apple.com> >+ >+ CachedCall (and its clients) needs overflow checks. >+ https://bugs.webkit.org/show_bug.cgi?id=179185 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-179185.js: Added. >+ > 2017-11-02 Michael Saboff <msaboff@apple.com> > > DFG needs to handle code motion of code in for..in loop bodies >Index: JSTests/stress/regress-179185.js >=================================================================== >--- JSTests/stress/regress-179185.js (nonexistent) >+++ JSTests/stress/regress-179185.js (working copy) >@@ -0,0 +1,3 @@ >+// This test passes if it does not fail assertions on a debug build. >+str = "Hello There Quick Brown Fox"; >+str.replace(/(((el)|(ui))|((Br)|(Fo)))/g, () => { }); >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 224347) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2017-11-02 Mark Lam <mark.lam@apple.com> >+ >+ Need a short description (OOPS!). >+ Need the bug URL (OOPS!). >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * interpreter/CachedCall.h: >+ (JSC::CachedCall::CachedCall): >+ (JSC::CachedCall::hasOverflowedArguments): >+ * runtime/ArgList.h: >+ (JSC::MarkedArgumentBuffer::clear): >+ * runtime/StringPrototype.cpp: >+ (JSC::replaceUsingRegExpSearch): >+ > 2017-11-02 Yusuke Suzuki <utatane.tea@gmail.com> > > Unreviewed, release throw scope >Index: Source/JavaScriptCore/interpreter/CachedCall.h >=================================================================== >--- Source/JavaScriptCore/interpreter/CachedCall.h (revision 224347) >+++ Source/JavaScriptCore/interpreter/CachedCall.h (working copy) >@@ -51,7 +51,10 @@ namespace JSC { > ASSERT(!function->isHostFunctionNonInline()); > if (UNLIKELY(vm.isSafeToRecurseSoft())) { > m_arguments.ensureCapacity(argumentCount); >- m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments); >+ if (LIKELY(!m_arguments.hasOverflowed())) >+ m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments); >+ else >+ throwOutOfMemoryError(callFrame, scope); > } else > throwStackOverflowError(callFrame, scope); > m_valid = !scope.exception(); >@@ -67,6 +70,7 @@ namespace JSC { > > void clearArguments() { m_arguments.clear(); } > void appendArgument(JSValue v) { m_arguments.append(v); } >+ bool hasOverflowedArguments() { return m_arguments.hasOverflowed(); } > > private: > bool m_valid; >Index: Source/JavaScriptCore/runtime/ArgList.h >=================================================================== >--- Source/JavaScriptCore/runtime/ArgList.h (revision 224347) >+++ Source/JavaScriptCore/runtime/ArgList.h (working copy) >@@ -73,6 +73,8 @@ public: > > void clear() > { >+ ASSERT(!m_needsOverflowCheck); >+ clearOverflow(); > m_size = 0; > } > >Index: Source/JavaScriptCore/runtime/StringPrototype.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/StringPrototype.cpp (revision 224347) >+++ Source/JavaScriptCore/runtime/StringPrototype.cpp (working copy) >@@ -598,6 +598,11 @@ static ALWAYS_INLINE EncodedJSValue repl > cachedCall.appendArgument(groups); > > cachedCall.setThis(jsUndefined()); >+ if (UNLIKELY(cachedCall.hasOverflowedArguments())) { >+ throwOutOfMemoryError(exec, scope); >+ return encodedJSValue(); >+ } >+ > JSValue jsResult = cachedCall.call(); > RETURN_IF_EXCEPTION(scope, encodedJSValue()); > replacements.append(jsResult.toWTFString(exec)); >@@ -659,6 +664,11 @@ static ALWAYS_INLINE EncodedJSValue repl > cachedCall.appendArgument(groups); > > cachedCall.setThis(jsUndefined()); >+ if (UNLIKELY(cachedCall.hasOverflowedArguments())) { >+ throwOutOfMemoryError(exec, scope); >+ return encodedJSValue(); >+ } >+ > JSValue jsResult = cachedCall.call(); > RETURN_IF_EXCEPTION(scope, encodedJSValue()); > replacements.append(jsResult.toWTFString(exec));
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=325831">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 179185
:
325734
|
325831
|
325835