Title: [201470] trunk/Source/_javascript_Core
- Revision
- 201470
- Author
- [email protected]
- Date
- 2016-05-27 15:29:02 -0700 (Fri, 27 May 2016)
Log Message
DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
https://bugs.webkit.org/show_bug.cgi?id=158170
Reviewed by Michael Saboff.
The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
anywhere because of TDZ.
This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
and it has the affected code use one of those wrappers.
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::dynamicCast): Harden this.
(JSC::DFG::FrozenValue::cast):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
* tests/stress/strcat-emtpy.js: Added. This used to crash every time.
(foo):
(i.catch):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (201469 => 201470)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-27 21:42:42 UTC (rev 201469)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-27 22:29:02 UTC (rev 201470)
@@ -1,5 +1,28 @@
2016-05-27 Filip Pizlo <[email protected]>
+ DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
+ https://bugs.webkit.org/show_bug.cgi?id=158170
+
+ Reviewed by Michael Saboff.
+
+ The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
+ value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
+ anywhere because of TDZ.
+
+ This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
+ and it has the affected code use one of those wrappers.
+
+ * dfg/DFGFrozenValue.h:
+ (JSC::DFG::FrozenValue::dynamicCast): Harden this.
+ (JSC::DFG::FrozenValue::cast):
+ * dfg/DFGLazyJSValue.cpp:
+ (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
+ * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
+ (foo):
+ (i.catch):
+
+2016-05-27 Filip Pizlo <[email protected]>
+
regExpProtoFuncSplitFast should OOM before it swaps
https://bugs.webkit.org/show_bug.cgi?id=158157
Modified: trunk/Source/_javascript_Core/dfg/DFGFrozenValue.h (201469 => 201470)
--- trunk/Source/_javascript_Core/dfg/DFGFrozenValue.h 2016-05-27 21:42:42 UTC (rev 201469)
+++ trunk/Source/_javascript_Core/dfg/DFGFrozenValue.h 2016-05-27 22:29:02 UTC (rev 201470)
@@ -73,7 +73,10 @@
template<typename T>
T dynamicCast()
{
- return jsDynamicCast<T>(value());
+ JSValue theValue = value();
+ if (!theValue)
+ return nullptr;
+ return jsDynamicCast<T>(theValue);
}
template<typename T>
T cast()
Modified: trunk/Source/_javascript_Core/dfg/DFGLazyJSValue.cpp (201469 => 201470)
--- trunk/Source/_javascript_Core/dfg/DFGLazyJSValue.cpp 2016-05-27 21:42:42 UTC (rev 201469)
+++ trunk/Source/_javascript_Core/dfg/DFGLazyJSValue.cpp 2016-05-27 22:29:02 UTC (rev 201470)
@@ -95,7 +95,7 @@
return u.stringImpl;
case KnownValue:
- if (JSString* string = jsDynamicCast<JSString*>(value()->value()))
+ if (JSString* string = value()->dynamicCast<JSString*>())
return string->tryGetValueImpl();
return nullptr;
Added: trunk/Source/_javascript_Core/tests/stress/strcat-emtpy.js (0 => 201470)
--- trunk/Source/_javascript_Core/tests/stress/strcat-emtpy.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/strcat-emtpy.js 2016-05-27 22:29:02 UTC (rev 201470)
@@ -0,0 +1,14 @@
+function foo() {
+ "use strict";
+ let a = "hello" + a;
+ return a;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ try {
+ foo();
+ } catch (e) {
+ }
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
