Diff
Modified: trunk/JSTests/ChangeLog (214312 => 214313)
--- trunk/JSTests/ChangeLog 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/JSTests/ChangeLog 2017-03-23 20:31:18 UTC (rev 214313)
@@ -1,3 +1,12 @@
+2017-03-23 Mark Lam <[email protected]>
+
+ Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
+ https://bugs.webkit.org/show_bug.cgi?id=169783
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-169783.js: Added.
+
2017-03-22 Yusuke Suzuki <[email protected]>
[JSC][DFG] Propagate AnyIntAsDouble information carefully to utilize it in fixup
Added: trunk/JSTests/stress/regress-169783.js (0 => 214313)
--- trunk/JSTests/stress/regress-169783.js (rev 0)
+++ trunk/JSTests/stress/regress-169783.js 2017-03-23 20:31:18 UTC (rev 214313)
@@ -0,0 +1,20 @@
+//@ if $buildType == "debug" then runFTLNoCJIT("--maxSingleAllocationSize=10000000") else skip end
+
+function test(a) {
+ var x = [1337, ...a, ...a, ...a, ...a, ...a];
+}
+noInline(test);
+
+function doTest(a, shouldThrow) {
+ var exception;
+ try {
+ test(a);
+ } catch (e) {
+ exception = e;
+ }
+ if (shouldThrow && exception != "Error: Out of memory")
+ throw("FAILED");
+}
+
+var a = new Array(0x40000);
+doTest(a, true);
Modified: trunk/Source/_javascript_Core/ChangeLog (214312 => 214313)
--- trunk/Source/_javascript_Core/ChangeLog 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-03-23 20:31:18 UTC (rev 214313)
@@ -1,3 +1,32 @@
+2017-03-23 Mark Lam <[email protected]>
+
+ Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
+ https://bugs.webkit.org/show_bug.cgi?id=169783
+
+ Reviewed by Saam Barati.
+
+ Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
+ an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
+ succeeds.
+
+ * dfg/DFGOperations.cpp:
+ * ftl/FTLOperations.cpp:
+ (JSC::FTL::operationMaterializeObjectInOSR):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSplice):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::tryCreateForInitializationPrivate):
+ (JSC::JSArray::fastSlice):
+ * runtime/JSArray.h:
+ (JSC::constructArray):
+ (JSC::constructArrayNegativeIndexed):
+ * runtime/RegExpMatchesArray.cpp:
+ (JSC::createEmptyRegExpMatchesArray):
+ * runtime/RegExpMatchesArray.h:
+ (JSC::createRegExpMatchesArray):
+
2017-03-23 Guillaume Emont <[email protected]>
[jsc] Add MacroAssemblerMIPS::storeFence()
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (214312 => 214313)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2017-03-23 20:31:18 UTC (rev 214313)
@@ -2086,6 +2086,10 @@
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, length);
+ if (UNLIKELY(!result)) {
+ throwOutOfMemoryError(exec, scope);
+ return nullptr;
+ }
RETURN_IF_EXCEPTION(scope, nullptr);
unsigned index = 0;
Modified: trunk/Source/_javascript_Core/ftl/FTLOperations.cpp (214312 => 214313)
--- trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2017-03-23 20:31:18 UTC (rev 214313)
@@ -363,6 +363,9 @@
Structure* structure = globalObject->restParameterStructure();
ASSERT(argumentCount > 0);
unsigned arraySize = (argumentCount - 1) > numberOfArgumentsToSkip ? argumentCount - 1 - numberOfArgumentsToSkip : 0;
+
+ // FIXME: we should throw an out of memory error here if tryCreateForInitializationPrivate() fails.
+ // https://bugs.webkit.org/show_bug.cgi?id=169784
JSArray* array = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
RELEASE_ASSERT(array);
@@ -452,6 +455,8 @@
}
}
+ // FIXME: we should throw an out of memory error here if checkedArraySize has hasOverflowed() or tryCreateForInitializationPrivate() fails.
+ // https://bugs.webkit.org/show_bug.cgi?id=169784
unsigned arraySize = checkedArraySize.unsafeGet(); // Crashes if overflowed.
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
RELEASE_ASSERT(result);
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (214312 => 214313)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-03-23 20:31:18 UTC (rev 214313)
@@ -1042,8 +1042,10 @@
}
} else {
result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
- if (!result)
- return JSValue::encode(throwOutOfMemoryError(exec, scope));
+ if (UNLIKELY(!result)) {
+ throwOutOfMemoryError(exec, scope);
+ return encodedJSValue();
+ }
for (unsigned k = 0; k < actualDeleteCount; ++k) {
JSValue v = getProperty(exec, thisObj, k + actualStart);
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (214312 => 214313)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2017-03-23 20:31:18 UTC (rev 214313)
@@ -1010,6 +1010,8 @@
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
+ if (UNLIKELY(!result))
+ THROW(createOutOfMemoryError(exec));
CHECK_EXCEPTION();
unsigned index = 0;
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (214312 => 214313)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-03-23 20:31:18 UTC (rev 214313)
@@ -62,7 +62,7 @@
JSArray* JSArray::tryCreateForInitializationPrivate(VM& vm, GCDeferralContext* deferralContext, Structure* structure, unsigned initialLength)
{
- if (initialLength > MAX_STORAGE_VECTOR_LENGTH)
+ if (UNLIKELY(initialLength > MAX_STORAGE_VECTOR_LENGTH))
return 0;
unsigned outOfLineStorage = structure->outOfLineCapacity();
@@ -78,7 +78,7 @@
unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
void* temp = vm.auxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
- if (!temp)
+ if (UNLIKELY(!temp))
return nullptr;
butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
butterfly->setVectorLength(vectorLength);
@@ -93,7 +93,7 @@
} else {
unsigned vectorLength = ArrayStorage::optimalVectorLength(0, structure, initialLength);
void* temp = vm.auxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)));
- if (!temp)
+ if (UNLIKELY(!temp))
return nullptr;
butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
*butterfly->indexingHeader() = indexingHeaderForArrayStorage(initialLength, vectorLength);
@@ -857,7 +857,7 @@
Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
- if (!resultArray)
+ if (UNLIKELY(!resultArray))
return nullptr;
auto& resultButterfly = *resultArray->butterfly();
Modified: trunk/Source/_javascript_Core/runtime/JSArray.h (214312 => 214313)
--- trunk/Source/_javascript_Core/runtime/JSArray.h 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/runtime/JSArray.h 2017-03-23 20:31:18 UTC (rev 214313)
@@ -300,6 +300,7 @@
// FIXME: we should probably throw an out of memory error here, but
// when making this change we should check that all clients of this
// function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
RELEASE_ASSERT(array);
for (unsigned i = 0; i < length; ++i)
@@ -315,6 +316,7 @@
// FIXME: we should probably throw an out of memory error here, but
// when making this change we should check that all clients of this
// function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
RELEASE_ASSERT(array);
for (unsigned i = 0; i < length; ++i)
@@ -330,6 +332,7 @@
// FIXME: we should probably throw an out of memory error here, but
// when making this change we should check that all clients of this
// function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
RELEASE_ASSERT(array);
for (int i = 0; i < static_cast<int>(length); ++i)
Modified: trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp (214312 => 214313)
--- trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp 2017-03-23 20:31:18 UTC (rev 214313)
@@ -40,7 +40,12 @@
if (UNLIKELY(globalObject->isHavingABadTime())) {
array = JSArray::tryCreateForInitializationPrivate(vm, &deferralContext, globalObject->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
-
+ // FIXME: we should probably throw an out of memory error here, but
+ // when making this change we should check that all clients of this
+ // function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
+ RELEASE_ASSERT(array);
+
array->initializeIndexWithoutBarrier(0, jsEmptyString(&vm));
if (unsigned numSubpatterns = regExp->numSubpatterns()) {
Modified: trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.h (214312 => 214313)
--- trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.h 2017-03-23 20:20:10 UTC (rev 214312)
+++ trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.h 2017-03-23 20:31:18 UTC (rev 214313)
@@ -81,7 +81,12 @@
if (UNLIKELY(globalObject->isHavingABadTime())) {
array = JSArray::tryCreateForInitializationPrivate(vm, &deferralContext, globalObject->regExpMatchesArrayStructure(), numSubpatterns + 1);
-
+ // FIXME: we should probably throw an out of memory error here, but
+ // when making this change we should check that all clients of this
+ // function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
+ RELEASE_ASSERT(array);
+
setProperties();
array->initializeIndexWithoutBarrier(0, jsSubstringOfResolved(vm, &deferralContext, input, result.start, result.end - result.start));
