Title: [200387] trunk/Source/_javascript_Core
- Revision
- 200387
- Author
- [email protected]
- Date
- 2016-05-03 14:42:44 -0700 (Tue, 03 May 2016)
Log Message
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
https://bugs.webkit.org/show_bug.cgi?id=157322
Reviewed by Filip Pizlo.
Check to see if the source array has changed length before calling fastSlice().
If it has, take the slow path.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
* tests/stress/regress-157322.js: New test.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (200386 => 200387)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-03 20:54:51 UTC (rev 200386)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-03 21:42:44 UTC (rev 200387)
@@ -1,3 +1,18 @@
+2016-05-03 Michael Saboff <[email protected]>
+
+ Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
+ https://bugs.webkit.org/show_bug.cgi?id=157322
+
+ Reviewed by Filip Pizlo.
+
+ Check to see if the source array has changed length before calling fastSlice().
+ If it has, take the slow path.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ * tests/stress/regress-157322.js: New test.
+
2016-05-03 Joseph Pecoraro <[email protected]>
Eliminate PassRefPtr conversion from ConsoleObject
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (200386 => 200387)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-05-03 20:54:51 UTC (rev 200386)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-05-03 21:42:44 UTC (rev 200387)
@@ -863,7 +863,7 @@
if (UNLIKELY(speciesResult.first == SpeciesConstructResult::Exception))
return JSValue::encode(jsUndefined());
- if (LIKELY(speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj))) {
+ if (LIKELY(speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj) && length == getLength(exec, thisObj))) {
if (JSArray* result = asArray(thisObj)->fastSlice(*exec, begin, end - begin))
return JSValue::encode(result);
}
@@ -932,7 +932,7 @@
return JSValue::encode(jsUndefined());
JSObject* result = nullptr;
- if (speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj))
+ if (speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj) && length == getLength(exec, thisObj))
result = asArray(thisObj)->fastSlice(*exec, begin, deleteCount);
if (!result) {
Added: trunk/Source/_javascript_Core/tests/stress/regress-157322.js (0 => 200387)
--- trunk/Source/_javascript_Core/tests/stress/regress-157322.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-157322.js 2016-05-03 21:42:44 UTC (rev 200387)
@@ -0,0 +1,43 @@
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=157322. This test should not crash.
+
+let fromArray = [];
+let toArray = [];
+let dummyArray = [];
+let endObj1 = {
+ valueOf: function() {
+ let originalLength = fromArray.length;
+ fromArray.length = 1;
+
+ dummyArray = new Float64Array(1000);
+
+ return originalLength;
+ }
+};
+
+let endObj2 = {
+ valueOf: function() {
+ let originalLength = fromArray.length;
+ fromArray.length = 1;
+
+ dummyArray = new Float64Array(1000);
+
+ fromArray = [];
+ fromArray.length = originalLength;
+
+ return originalLength;
+ }
+};
+
+let initialArray = [];
+for (let i = 0; i < 8000; i++)
+ initialArray.push(i + 0.1);
+
+for (let loop = 0; loop < 1000; loop++) {
+ fromArray = initialArray.slice(0);
+
+ let endObj = (loop % 2 == 1) ? endObj1 : endObj2;
+
+ // These calls shouldn't crash
+ toArray = fromArray.slice(0, endObj);
+ toArray = fromArray.splice(0, endObj);
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
