WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
215897
[JSC] setLength in Array#push could get very large length
https://bugs.webkit.org/show_bug.cgi?id=215897
Summary
[JSC] setLength in Array#push could get very large length
Yusuke Suzuki
Reported
2020-08-27 12:25:04 PDT
[JSC] setLength in Array#push could get very large length
Attachments
Patch
(4.12 KB, patch)
2020-08-27 12:29 PDT
,
Yusuke Suzuki
keith_miller
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1
2020-08-27 12:29:07 PDT
Created
attachment 407422
[details]
Patch
Yusuke Suzuki
Comment 2
2020-08-27 12:29:09 PDT
<
rdar://problem/67859149
>
Keith Miller
Comment 3
2020-08-27 12:34:48 PDT
Comment on
attachment 407422
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=407422&action=review
r=me with nits.
> Source/JavaScriptCore/ChangeLog:10 > + Before
r266215
, it was using putLength which throws an error. But it is replaced with setLength,
Nit: But it *was* replaced.
> Source/JavaScriptCore/ChangeLog:11 > + and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it
Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*.
Yusuke Suzuki
Comment 4
2020-08-27 12:35:41 PDT
Comment on
attachment 407422
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=407422&action=review
Thanks!
>> Source/JavaScriptCore/ChangeLog:10 >> + Before
r266215
, it was using putLength which throws an error. But it is replaced with setLength, > > Nit: But it *was* replaced.
Fixed.
>> Source/JavaScriptCore/ChangeLog:11 >> + and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it > > Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*.
Fixed.
Yusuke Suzuki
Comment 5
2020-08-27 14:33:03 PDT
Committed
r266257
: <
https://trac.webkit.org/changeset/266257
>
Darin Adler
Comment 6
2020-08-27 16:02:02 PDT
Comment on
attachment 407422
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=407422&action=review
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168 > + if (UNLIKELY(value > UINT32_MAX)) {
Could this be an maxArrayLength constant instead of UINT32_MAX?
Darin Adler
Comment 7
2020-08-27 17:51:59 PDT
Comment on
attachment 407422
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=407422&action=review
>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168 >> + if (UNLIKELY(value > UINT32_MAX)) { > > Could this be an maxArrayLength constant instead of UINT32_MAX?
Like maybe: constexpr uint32_t maxArrayLength = MAX_ARRAY_INDEX + 1;
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug