Skip to site navigation (Press enter)

[webkit-changes] [204838] releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore

carlosgc Tue, 23 Aug 2016 08:26:28 -0700

Title: [204838] releases/WebKitGTK/webkit-2.12/Source/_javascript_Core

Revision: 204838
Author: [email protected]
Date: 2016-08-23 08:26:10 -0700 (Tue, 23 Aug 2016)

Log Message

Merge r200387 - Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
https://bugs.webkit.org/show_bug.cgi?id=157322


Reviewed by Filip Pizlo.

Check to see if the source array has changed length before calling fastSlice().
If it has, take the slow path.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
* tests/stress/regress-157322.js: New test.

Modified Paths

releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/ArrayPrototype.cpp

Added Paths

releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/regress-157322.js

Diff

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (204837 => 204838)


--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-08-23 15:17:13 UTC (rev 204837)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-08-23 15:26:10 UTC (rev 204838)
@@ -1,3 +1,18 @@
+2016-05-03  Michael Saboff  <[email protected]>
+
+        Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
+        https://bugs.webkit.org/show_bug.cgi?id=157322
+
+        Reviewed by Filip Pizlo.
+
+        Check to see if the source array has changed length before calling fastSlice().
+        If it has, take the slow path.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        * tests/stress/regress-157322.js: New test.
+
 2016-04-09  Saam barati  <[email protected]>
 
         Allocation sinking SSA Defs are allowed to have replacements

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/ArrayPrototype.cpp (204837 => 204838)


--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2016-08-23 15:17:13 UTC (rev 204837)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2016-08-23 15:26:10 UTC (rev 204838)
@@ -832,7 +832,7 @@
     if (UNLIKELY(speciesResult.first == SpeciesConstructResult::Exception))
         return JSValue::encode(jsUndefined());
 
-    if (LIKELY(speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj))) {
+    if (LIKELY(speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj) && length == getLength(exec, thisObj))) {
         if (JSArray* result = asArray(thisObj)->fastSlice(*exec, begin, end - begin))
             return JSValue::encode(result);
     }
@@ -899,7 +899,7 @@
         return JSValue::encode(jsUndefined());
 
     JSObject* result = nullptr;
-    if (speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj))
+    if (speciesResult.first == SpeciesConstructResult::FastPath && isJSArray(thisObj) && length == getLength(exec, thisObj))
         result = asArray(thisObj)->fastSlice(*exec, begin, deleteCount);
 
     if (!result) {

Added: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/regress-157322.js (0 => 204838)


--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/regress-157322.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/regress-157322.js	2016-08-23 15:26:10 UTC (rev 204838)
@@ -0,0 +1,43 @@
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=157322.  This test should not crash.
+
+let fromArray = [];
+let toArray = [];
+let dummyArray = [];
+let endObj1 = {
+    valueOf: function() {
+        let originalLength = fromArray.length;
+        fromArray.length = 1;
+
+        dummyArray = new Float64Array(1000);
+
+        return originalLength;
+    }
+};
+
+let endObj2 = {
+    valueOf: function() {
+        let originalLength = fromArray.length;
+        fromArray.length = 1;
+
+        dummyArray = new Float64Array(1000);
+
+        fromArray = [];
+        fromArray.length = originalLength;
+
+        return originalLength;
+    }
+};
+
+let initialArray = [];
+for (let i = 0; i < 8000; i++)
+        initialArray.push(i + 0.1);
+
+for (let loop = 0; loop < 1000; loop++) {
+    fromArray = initialArray.slice(0);
+
+    let endObj = (loop % 2 == 1) ? endObj1 : endObj2;
+
+    // These calls shouldn't crash
+    toArray = fromArray.slice(0, endObj);
+    toArray = fromArray.splice(0, endObj);
+}

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes