Bug 44830

Summary:

In Array's prototype functions we're incorrectly handing large index values

Product:

WebKit

Reporter:

Gavin Barraclough <barraclough>

Component:

JavaScriptCore

Assignee:

Gavin Barraclough <barraclough>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, darin

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
The patch	oliver: review+

Gavin Barraclough

Reported 2010-08-28 14:23:43 PDT

We are in places casting doubles to unsigneds, and unsigneds to ints, without always check that the result is within bounds. This is problematic in the case of double-to-unsigned conversion because we should be saturating to array length. Also, the error return value from Array.splice should be [], not undefined. I don't see any security concerns here. These methods are spec'ed in such a way that they can be applied to non Array objects, so In all cases the (potentially bogus) indices are being passed to functions that will safely check accesses are within bounds.

Attachments
The patch (24.64 KB, patch) 2010-08-28 14:33 PDT, Gavin Barraclough	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Gavin Barraclough

Comment 1 2010-08-28 14:33:57 PDT

Created attachment 65840 [details] The patch

Gavin Barraclough

Comment 2 2010-08-28 14:36:59 PDT

*** Bug 38356 has been marked as a duplicate of this bug. ***

Oliver Hunt

Comment 3 2010-08-28 14:48:52 PDT

Comment on attachment 65840 [details] The patch r=me

Darin Adler

Comment 4 2010-08-28 15:22:27 PDT

What’s the performance impact of these changes?

Gavin Barraclough

Comment 5 2010-08-28 19:05:57 PDT

Fixed in r66318.

Gavin Barraclough

Comment 6 2010-08-28 19:13:55 PDT

(In reply to comment #4) > What’s the performance impact of these changes? Short answer, none. Most of the benchmarks we track don't call these methods anyway. For the most part the change is just to change a type (int vs unsigned), and should result in approx. the same code. The two functional changes are to make Array.splice properly saturate large values - which is one extra integer compare instruction in an expensive function (allocates a JSArray). Also changes return value if called with invalid parameters, which I would not expect to show up in any real code, and Michael has done work lately to reduce the cost of allocating unused Array objects which would also help mitigate this. No change on SunSpider.

Note You need to log in before you can comment on or make changes to this bug.