Summary: | Throw the right exception upon memory exhaustion in Array::slice | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Robin Morisset <rmorisset> | ||||||||||
Component: | JavaScriptCore | Assignee: | Robin Morisset <rmorisset> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | commit-queue, eric.carlson, ews-watchlist, glenn, jer.noble, keith_miller, mark.lam, msaboff, philipj, saam, sergio, tzagallo, webkit-bug-importer, ysuzuki | ||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||
Version: | WebKit Nightly Build | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Attachments: |
|
Description
Robin Morisset
2019-10-07 13:22:50 PDT
Created attachment 380351 [details]
Patch
Created attachment 380387 [details]
Patch
Created attachment 380447 [details]
Patch
trivial rebase (exec -> callFrame)
Comment on attachment 380447 [details]
Patch
Lots of red
(In reply to Saam Barati from comment #4) > Comment on attachment 380447 [details] > Patch > > Lots of red Seems like I accidentally resubmitted the old patch instead of the rebased one. I'll fix it imminently. Created attachment 380462 [details]
Patch
Rebasing again, and attaching the right patch this time.
Comment on attachment 380462 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380462&action=review > Source/JavaScriptCore/runtime/ArrayBuffer.cpp:298 > +RefPtr<ArrayBuffer> ArrayBuffer::slice(double begin, double end) const Do callers of these various functions check for exceptions? (In reply to Saam Barati from comment #7) > Comment on attachment 380462 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380462&action=review > > > Source/JavaScriptCore/runtime/ArrayBuffer.cpp:298 > > +RefPtr<ArrayBuffer> ArrayBuffer::slice(double begin, double end) const > > Do callers of these various functions check for exceptions? As far as I can tell, they are only called from arrayBufferProtoFuncSlice, which is installed as a normal JS function in JSArrayBufferPrototype.cpp at line 116: JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->slice, arrayBufferProtoFuncSlice, static_cast<unsigned>(PropertyAttribute::DontEnum), 2); So I believe it should be fine (and the fact that all bots are green is encouraging), but I may be wrong. Comment on attachment 380462 [details] Patch Clearing flags on attachment: 380462 Committed r251392: <https://trac.webkit.org/changeset/251392> All reviewed patches have been landed. Closing bug. Can you check WebCore side too? ArrayBuffer is also used in WebCore. For example, StructuredClone.cpp is using slice() call. And WebCore/fileapi/FileReaderLoader.cpp is also using it. And I prefer renaming it to `trySlice` if it can fail. (In reply to Yusuke Suzuki from comment #12) > Can you check WebCore side too? ArrayBuffer is also used in WebCore. > For example, StructuredClone.cpp is using slice() call. > And WebCore/fileapi/FileReaderLoader.cpp is also using it. > > And I prefer renaming it to `trySlice` if it can fail. I'll fix this issue. https://bugs.webkit.org/show_bug.cgi?id=209121 |