Title: [200783] branches/safari-601.1.46-branch/Source/_javascript_Core
- Revision
- 200783
- Author
- [email protected]
- Date
- 2016-05-12 11:57:00 -0700 (Thu, 12 May 2016)
Log Message
Merge patch for r200387. rdar://problem/26131112
Modified Paths
Added Paths
Diff
Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog (200782 => 200783)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog 2016-05-12 18:53:41 UTC (rev 200782)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog 2016-05-12 18:57:00 UTC (rev 200783)
@@ -1,3 +1,22 @@
+2016-05-12 Babak Shafiei <[email protected]>
+
+ Merge patch for r200387.
+
+ 2016-05-03 Michael Saboff <[email protected]>
+
+ Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
+ https://bugs.webkit.org/show_bug.cgi?id=157322
+
+ Reviewed by Filip Pizlo.
+
+ Check to see if the source array has changed length before calling fastSlice().
+ If it has, take the slow path.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ * tests/stress/regress-157322.js: New test.
+
2016-05-12 Matthew Hanson <[email protected]>
Merge r199277. rdar://problem/26228815
Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (200782 => 200783)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-05-12 18:53:41 UTC (rev 200782)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-05-12 18:57:00 UTC (rev 200783)
@@ -729,7 +729,7 @@
unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);
- if (isJSArray(thisObj)) {
+ if (isJSArray(thisObj) && length == getLength(exec, thisObj)) {
if (JSArray* result = asArray(thisObj)->fastSlice(*exec, begin, end - begin))
return JSValue::encode(result);
}
@@ -777,7 +777,7 @@
JSArray* result = nullptr;
- if (isJSArray(thisObj))
+ if (isJSArray(thisObj) && length == getLength(exec, thisObj))
result = asArray(thisObj)->fastSlice(*exec, begin, deleteCount);
if (!result) {
Copied: branches/safari-601.1.46-branch/Source/_javascript_Core/tests/stress/regress-157322.js (from rev 200782, branches/safari-601-branch/Source/_javascript_Core/tests/stress/regress-157322.js) (0 => 200783)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/tests/stress/regress-157322.js (rev 0)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/tests/stress/regress-157322.js 2016-05-12 18:57:00 UTC (rev 200783)
@@ -0,0 +1,43 @@
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=157322. This test should not crash.
+
+var fromArray = [];
+var toArray = [];
+var dummyArray = [];
+var endObj1 = {
+ valueOf: function() {
+ var originalLength = fromArray.length;
+ fromArray.length = 1;
+
+ dummyArray = new Float64Array(1000);
+
+ return originalLength;
+ }
+};
+
+var endObj2 = {
+ valueOf: function() {
+ var originalLength = fromArray.length;
+ fromArray.length = 1;
+
+ dummyArray = new Float64Array(1000);
+
+ fromArray = [];
+ fromArray.length = originalLength;
+
+ return originalLength;
+ }
+};
+
+var initialArray = [];
+for (var i = 0; i < 8000; i++)
+ initialArray.push(i + 0.1);
+
+for (var loop = 0; loop < 1000; loop++) {
+ fromArray = initialArray.slice(0);
+
+ var endObj = (loop % 2 == 1) ? endObj1 : endObj2;
+
+ // These calls shouldn't crash
+ toArray = fromArray.slice(0, endObj);
+ toArray = fromArray.splice(0, endObj);
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
