[webkit-changes] [224399] trunk

Fri, 03 Nov 2017 09:03:51 -0700

Title: [224399] trunk
Revision
224399
Author
mark....@apple.com
Date
2017-11-03 09:03:07 -0700 (Fri, 03 Nov 2017)

Log Message

CachedCall (and its clients) needs overflow checks.
https://bugs.webkit.org/show_bug.cgi?id=179185

Reviewed by JF Bastien.

JSTests:

* stress/regress-179185.js: Added.

Source/_javascript_Core:

* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
(JSC::CachedCall::hasOverflowedArguments):
* runtime/ArgList.h:
(JSC::MarkedArgumentBuffer::clear):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (224398 => 224399)


--- trunk/JSTests/ChangeLog	2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/JSTests/ChangeLog	2017-11-03 16:03:07 UTC (rev 224399)
@@ -1,3 +1,12 @@
+2017-11-03  Mark Lam  <mark....@apple.com>
+
+        CachedCall (and its clients) needs overflow checks.
+        https://bugs.webkit.org/show_bug.cgi?id=179185
+
+        Reviewed by JF Bastien.
+
+        * stress/regress-179185.js: Added.
+
 2017-11-02  Michael Saboff  <msab...@apple.com>
 
         DFG needs to handle code motion of code in for..in loop bodies

Added: trunk/JSTests/stress/regress-179185.js (0 => 224399)


--- trunk/JSTests/stress/regress-179185.js	                        (rev 0)
+++ trunk/JSTests/stress/regress-179185.js	2017-11-03 16:03:07 UTC (rev 224399)
@@ -0,0 +1,3 @@
+// This test passes if it does not fail assertions on a debug build.
+str = "Hello There Quick Brown Fox";
+str.replace(/(((el)|(ui))|((Br)|(Fo)))/g, () => { });

Modified: trunk/Source/_javascript_Core/ChangeLog (224398 => 224399)


--- trunk/Source/_javascript_Core/ChangeLog	2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-03 16:03:07 UTC (rev 224399)
@@ -1,3 +1,18 @@
+2017-11-03  Mark Lam  <mark....@apple.com>
+
+        CachedCall (and its clients) needs overflow checks.
+        https://bugs.webkit.org/show_bug.cgi?id=179185
+
+        Reviewed by JF Bastien.
+
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::CachedCall):
+        (JSC::CachedCall::hasOverflowedArguments):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::clear):
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+
 2017-11-03  Devin Rousso  <web...@devinrousso.com>
 
         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log

Modified: trunk/Source/_javascript_Core/interpreter/CachedCall.h (224398 => 224399)


--- trunk/Source/_javascript_Core/interpreter/CachedCall.h	2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/interpreter/CachedCall.h	2017-11-03 16:03:07 UTC (rev 224399)
@@ -51,7 +51,10 @@
             ASSERT(!function->isHostFunctionNonInline());
             if (UNLIKELY(vm.isSafeToRecurseSoft())) {
                 m_arguments.ensureCapacity(argumentCount);
-                m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
+                if (LIKELY(!m_arguments.hasOverflowed()))
+                    m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
+                else
+                    throwOutOfMemoryError(callFrame, scope);
             } else
                 throwStackOverflowError(callFrame, scope);
             m_valid = !scope.exception();
@@ -67,6 +70,7 @@
 
         void clearArguments() { m_arguments.clear(); }
         void appendArgument(JSValue v) { m_arguments.append(v); }
+        bool hasOverflowedArguments() { return m_arguments.hasOverflowed(); }
 
     private:
         bool m_valid;

Modified: trunk/Source/_javascript_Core/runtime/ArgList.h (224398 => 224399)


--- trunk/Source/_javascript_Core/runtime/ArgList.h	2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/runtime/ArgList.h	2017-11-03 16:03:07 UTC (rev 224399)
@@ -73,6 +73,8 @@
 
     void clear()
     {
+        ASSERT(!m_needsOverflowCheck);
+        clearOverflow();
         m_size = 0;
     }

Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (224398 => 224399)


--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp	2017-11-03 15:41:10 UTC (rev 224398)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp	2017-11-03 16:03:07 UTC (rev 224399)
@@ -598,6 +598,11 @@
                     cachedCall.appendArgument(groups);
 
                 cachedCall.setThis(jsUndefined());
+                if (UNLIKELY(cachedCall.hasOverflowedArguments())) {
+                    throwOutOfMemoryError(exec, scope);
+                    return encodedJSValue();
+                }
+
                 JSValue jsResult = cachedCall.call();
                 RETURN_IF_EXCEPTION(scope, encodedJSValue());
                 replacements.append(jsResult.toWTFString(exec));
@@ -659,6 +664,11 @@
                     cachedCall.appendArgument(groups);
 
                 cachedCall.setThis(jsUndefined());
+                if (UNLIKELY(cachedCall.hasOverflowedArguments())) {
+                    throwOutOfMemoryError(exec, scope);
+                    return encodedJSValue();
+                }
+
                 JSValue jsResult = cachedCall.call();
                 RETURN_IF_EXCEPTION(scope, encodedJSValue());
                 replacements.append(jsResult.toWTFString(exec));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to