WebKit Bugzilla
Attachment 343524 Details for
Bug 187010
: constructArray() should set m_numValuesInVector to the specified length.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-187010.patch (text/plain), 3.12 KB, created by
Mark Lam
on 2018-06-25 12:20:15 PDT
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-06-25 12:20:15 PDT
Size:
3.12 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 233161) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-06-25 Mark Lam <mark.lam@apple.com> >+ >+ constructArray() should set m_numValuesInVector to the specified length. >+ https://bugs.webkit.org/show_bug.cgi?id=187010 >+ <rdar://problem/41392167> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-187010.js: Added. >+ > 2018-06-25 Mark Lam <mark.lam@apple.com> > > Add missing exception check in RegExpObjectInlines.h's collectMatches. >Index: JSTests/stress/regress-187010.js >=================================================================== >--- JSTests/stress/regress-187010.js (nonexistent) >+++ JSTests/stress/regress-187010.js (working copy) >@@ -0,0 +1,7 @@ >+// This test should not crash. >+var proto = Array.prototype; >+class Test extends Array {} >+new Test( 8, 9); >+ >+Object.defineProperty(proto, 324800, { }); >+new Test( 8, 9); >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 233161) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2018-06-25 Mark Lam <mark.lam@apple.com> >+ >+ constructArray() should set m_numValuesInVector to the specified length. >+ https://bugs.webkit.org/show_bug.cgi?id=187010 >+ <rdar://problem/41392167> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Its client will fill in the storage vector with some values using initializeIndex() >+ and expects m_numValuesInVector to be set to the length i.e. the number of values >+ to be initialized. >+ >+ * runtime/JSArray.cpp: >+ (JSC::constructArray): >+ > 2018-06-25 Mark Lam <mark.lam@apple.com> > > Add missing exception check in RegExpObjectInlines.h's collectMatches. >Index: Source/JavaScriptCore/runtime/JSArray.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/JSArray.cpp (revision 233161) >+++ Source/JavaScriptCore/runtime/JSArray.cpp (working copy) >@@ -1346,9 +1346,17 @@ inline JSArray* constructArray(ObjectIni > JSArray* array; > if (arrayStructure->globalObject()->isOriginalArrayStructure(arrayStructure)) > array = JSArray::tryCreateUninitializedRestricted(scope, arrayStructure, length); >- else >+ else { > array = JSArray::create(scope.vm(), arrayStructure, length); > >+ // Our client will initialize the storage using initializeIndex() up to >+ // length values, and expects that we've already set m_numValuesInVector >+ // to length. This matches the behavior of tryCreateUninitializedRestricted(). >+ IndexingType indexingType = arrayStructure->indexingType(); >+ if (UNLIKELY(hasAnyArrayStorage(indexingType))) >+ array->butterfly()->arrayStorage()->m_numValuesInVector = length; >+ } >+ > // FIXME: we should probably throw an out of memory error here, but > // when making this change we should check that all clients of this > // function will correctly handle an exception being thrown from here.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343524">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187010
: 343524