Diff
Modified: trunk/JSTests/ChangeLog (224398 => 224399)
--- trunk/JSTests/ChangeLog 2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/JSTests/ChangeLog 2017-11-03 16:03:07 UTC (rev 224399)
@@ -1,3 +1,12 @@
+2017-11-03 Mark Lam <mark....@apple.com>
+
+ CachedCall (and its clients) needs overflow checks.
+ https://bugs.webkit.org/show_bug.cgi?id=179185
+
+ Reviewed by JF Bastien.
+
+ * stress/regress-179185.js: Added.
+
2017-11-02 Michael Saboff <msab...@apple.com>
DFG needs to handle code motion of code in for..in loop bodies
Added: trunk/JSTests/stress/regress-179185.js (0 => 224399)
--- trunk/JSTests/stress/regress-179185.js (rev 0)
+++ trunk/JSTests/stress/regress-179185.js 2017-11-03 16:03:07 UTC (rev 224399)
@@ -0,0 +1,3 @@
+// This test passes if it does not fail assertions on a debug build.
+str = "Hello There Quick Brown Fox";
+str.replace(/(((el)|(ui))|((Br)|(Fo)))/g, () => { });
Modified: trunk/Source/_javascript_Core/ChangeLog (224398 => 224399)
--- trunk/Source/_javascript_Core/ChangeLog 2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-11-03 16:03:07 UTC (rev 224399)
@@ -1,3 +1,18 @@
+2017-11-03 Mark Lam <mark....@apple.com>
+
+ CachedCall (and its clients) needs overflow checks.
+ https://bugs.webkit.org/show_bug.cgi?id=179185
+
+ Reviewed by JF Bastien.
+
+ * interpreter/CachedCall.h:
+ (JSC::CachedCall::CachedCall):
+ (JSC::CachedCall::hasOverflowedArguments):
+ * runtime/ArgList.h:
+ (JSC::MarkedArgumentBuffer::clear):
+ * runtime/StringPrototype.cpp:
+ (JSC::replaceUsingRegExpSearch):
+
2017-11-03 Devin Rousso <web...@devinrousso.com>
Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
Modified: trunk/Source/_javascript_Core/interpreter/CachedCall.h (224398 => 224399)
--- trunk/Source/_javascript_Core/interpreter/CachedCall.h 2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/interpreter/CachedCall.h 2017-11-03 16:03:07 UTC (rev 224399)
@@ -51,7 +51,10 @@
ASSERT(!function->isHostFunctionNonInline());
if (UNLIKELY(vm.isSafeToRecurseSoft())) {
m_arguments.ensureCapacity(argumentCount);
- m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
+ if (LIKELY(!m_arguments.hasOverflowed()))
+ m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
+ else
+ throwOutOfMemoryError(callFrame, scope);
} else
throwStackOverflowError(callFrame, scope);
m_valid = !scope.exception();
@@ -67,6 +70,7 @@
void clearArguments() { m_arguments.clear(); }
void appendArgument(JSValue v) { m_arguments.append(v); }
+ bool hasOverflowedArguments() { return m_arguments.hasOverflowed(); }
private:
bool m_valid;
Modified: trunk/Source/_javascript_Core/runtime/ArgList.h (224398 => 224399)
--- trunk/Source/_javascript_Core/runtime/ArgList.h 2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/runtime/ArgList.h 2017-11-03 16:03:07 UTC (rev 224399)
@@ -73,6 +73,8 @@
void clear()
{
+ ASSERT(!m_needsOverflowCheck);
+ clearOverflow();
m_size = 0;
}
Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (224398 => 224399)
--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2017-11-03 16:03:07 UTC (rev 224399)
@@ -598,6 +598,11 @@
cachedCall.appendArgument(groups);
cachedCall.setThis(jsUndefined());
+ if (UNLIKELY(cachedCall.hasOverflowedArguments())) {
+ throwOutOfMemoryError(exec, scope);
+ return encodedJSValue();
+ }
+
JSValue jsResult = cachedCall.call();
RETURN_IF_EXCEPTION(scope, encodedJSValue());
replacements.append(jsResult.toWTFString(exec));
@@ -659,6 +664,11 @@
cachedCall.appendArgument(groups);
cachedCall.setThis(jsUndefined());
+ if (UNLIKELY(cachedCall.hasOverflowedArguments())) {
+ throwOutOfMemoryError(exec, scope);
+ return encodedJSValue();
+ }
+
JSValue jsResult = cachedCall.call();
RETURN_IF_EXCEPTION(scope, encodedJSValue());
replacements.append(jsResult.toWTFString(exec));