Title: [200782] branches/safari-601-branch/Source/_javascript_Core
- Revision
- 200782
- Author
- [email protected]
- Date
- 2016-05-12 11:53:41 -0700 (Thu, 12 May 2016)
Log Message
Merge patch for r200387. rdar://problem/26131068
Modified Paths
Added Paths
Diff
Modified: branches/safari-601-branch/Source/_javascript_Core/ChangeLog (200781 => 200782)
--- branches/safari-601-branch/Source/_javascript_Core/ChangeLog 2016-05-12 18:44:24 UTC (rev 200781)
+++ branches/safari-601-branch/Source/_javascript_Core/ChangeLog 2016-05-12 18:53:41 UTC (rev 200782)
@@ -1,3 +1,22 @@
+2016-05-12 Babak Shafiei <[email protected]>
+
+ Merge patch for r200387.
+
+ 2016-05-03 Michael Saboff <[email protected]>
+
+ Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
+ https://bugs.webkit.org/show_bug.cgi?id=157322
+
+ Reviewed by Filip Pizlo.
+
+ Check to see if the source array has changed length before calling fastSlice().
+ If it has, take the slow path.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ * tests/stress/regress-157322.js: New test.
+
2016-05-11 Matthew Hanson <[email protected]>
Merge r199277. rdar://problem/26228546
Modified: branches/safari-601-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (200781 => 200782)
--- branches/safari-601-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-05-12 18:44:24 UTC (rev 200781)
+++ branches/safari-601-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-05-12 18:53:41 UTC (rev 200782)
@@ -729,7 +729,7 @@
unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);
- if (isJSArray(thisObj)) {
+ if (isJSArray(thisObj) && length == getLength(exec, thisObj)) {
if (JSArray* result = asArray(thisObj)->fastSlice(*exec, begin, end - begin))
return JSValue::encode(result);
}
@@ -777,7 +777,7 @@
JSArray* result = nullptr;
- if (isJSArray(thisObj))
+ if (isJSArray(thisObj) && length == getLength(exec, thisObj))
result = asArray(thisObj)->fastSlice(*exec, begin, deleteCount);
if (!result) {
Added: branches/safari-601-branch/Source/_javascript_Core/tests/stress/regress-157322.js (0 => 200782)
--- branches/safari-601-branch/Source/_javascript_Core/tests/stress/regress-157322.js (rev 0)
+++ branches/safari-601-branch/Source/_javascript_Core/tests/stress/regress-157322.js 2016-05-12 18:53:41 UTC (rev 200782)
@@ -0,0 +1,43 @@
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=157322. This test should not crash.
+
+var fromArray = [];
+var toArray = [];
+var dummyArray = [];
+var endObj1 = {
+ valueOf: function() {
+ var originalLength = fromArray.length;
+ fromArray.length = 1;
+
+ dummyArray = new Float64Array(1000);
+
+ return originalLength;
+ }
+};
+
+var endObj2 = {
+ valueOf: function() {
+ var originalLength = fromArray.length;
+ fromArray.length = 1;
+
+ dummyArray = new Float64Array(1000);
+
+ fromArray = [];
+ fromArray.length = originalLength;
+
+ return originalLength;
+ }
+};
+
+var initialArray = [];
+for (var i = 0; i < 8000; i++)
+ initialArray.push(i + 0.1);
+
+for (var loop = 0; loop < 1000; loop++) {
+ fromArray = initialArray.slice(0);
+
+ var endObj = (loop % 2 == 1) ? endObj1 : endObj2;
+
+ // These calls shouldn't crash
+ toArray = fromArray.slice(0, endObj);
+ toArray = fromArray.splice(0, endObj);
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
