[webkit-changes] [202585] trunk/Source/JavaScriptCore

[fpizlo]

Title: [202585] trunk/Source/_javascript_Core

Revision

202585

Author

fpi...@apple.com

Date

2016-06-28 14:03:15 -0700 (Tue, 28 Jun 2016)

Log Message

JSRopeString should use release asserts, not debug asserts, about substring bounds
https://bugs.webkit.org/show_bug.cgi?id=159227

Reviewed by Saam Barati.
        
According to my experiments this change costs nothing.  That's not surprising since the
most common way to construct a rope these days is inlined into the JIT, which does its own
safety checks.  This makes us crash sooner rather than corrupting memory.

* runtime/JSString.h:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSString.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (202584 => 202585)

--- trunk/Source/_javascript_Core/ChangeLog	2016-06-28 21:02:52 UTC (rev 202584)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-06-28 21:03:15 UTC (rev 202585)
@@ -1,3 +1,16 @@
+2016-06-28  Filip Pizlo  <fpi...@apple.com>
+
+        JSRopeString should use release asserts, not debug asserts, about substring bounds
+        https://bugs.webkit.org/show_bug.cgi?id=159227
+
+        Reviewed by Saam Barati.
+        
+        According to my experiments this change costs nothing.  That's not surprising since the
+        most common way to construct a rope these days is inlined into the JIT, which does its own
+        safety checks.  This makes us crash sooner rather than corrupting memory.
+
+        * runtime/JSString.h:
+
 2016-06-28  Brian Burg  <bb...@apple.com>
 
         RunLoop::Timer should use constructor templates instead of class templates

Modified: trunk/Source/_javascript_Core/runtime/JSString.h (202584 => 202585)

--- trunk/Source/_javascript_Core/runtime/JSString.h	2016-06-28 21:02:52 UTC (rev 202584)
+++ trunk/Source/_javascript_Core/runtime/JSString.h	2016-06-28 21:03:15 UTC (rev 202585)
@@ -297,8 +297,8 @@
     void finishCreation(VM& vm, ExecState* exec, JSString* base, unsigned offset, unsigned length)
     {
         Base::finishCreation(vm);
-        ASSERT(!sumOverflows<int32_t>(offset, length));
-        ASSERT(offset + length <= base->length());
+        RELEASE_ASSERT(!sumOverflows<int32_t>(offset, length));
+        RELEASE_ASSERT(offset + length <= base->length());
         m_length = length;
         setIs8Bit(base->is8Bit());
         setIsSubstring(true);
@@ -321,8 +321,8 @@
     ALWAYS_INLINE void finishCreationSubstringOfResolved(VM& vm, JSString* base, unsigned offset, unsigned length)
     {
         Base::finishCreation(vm);
-        ASSERT(!sumOverflows<int32_t>(offset, length));
-        ASSERT(offset + length <= base->length());
+        RELEASE_ASSERT(!sumOverflows<int32_t>(offset, length));
+        RELEASE_ASSERT(offset + length <= base->length());
         m_length = length;
         setIs8Bit(base->is8Bit());
         setIsSubstring(true);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes