Skip to site navigation (Press enter)

[webkit-changes] [214799] releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore

carlosgc Mon, 03 Apr 2017 09:12:00 -0700

Title: [214799] releases/WebKitGTK/webkit-2.16/Source/_javascript_Core

Revision: 214799
Author: carlo...@webkit.org
Date: 2017-04-03 09:11:27 -0700 (Mon, 03 Apr 2017)

Log Message

Merge r214374 - Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
https://bugs.webkit.org/show_bug.cgi?id=170064
<rdar://problem/31246098>


Reviewed by Geoffrey Garen.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/JSArray.cpp:
(JSC::JSArray::fastSlice):

Modified Paths

releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/ArrayPrototype.cpp
releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSArray.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (214798 => 214799)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-04-03 16:10:45 UTC (rev 214798)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-04-03 16:11:27 UTC (rev 214799)
@@ -1,3 +1,16 @@
+2017-03-24  Mark Lam  <mark....@apple.com>
+
+        Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
+        https://bugs.webkit.org/show_bug.cgi?id=170064
+        <rdar://problem/31246098>
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::fastSlice):
+
 2017-03-23  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Use jsNontrivialString agressively for ToString(Int52)

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/ArrayPrototype.cpp (214798 => 214799)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2017-04-03 16:10:45 UTC (rev 214798)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2017-04-03 16:11:27 UTC (rev 214799)
@@ -1327,7 +1327,12 @@
         return JSValue::encode(result);
     }
 
-    Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
+    JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
+    Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(type);
+    if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType())))
+        return JSValue::encode(jsNull());
+
+    ASSERT(!lexicalGlobalObject->isHavingABadTime());
     JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, resultSize);
     if (UNLIKELY(!result)) {
         throwOutOfMemoryError(exec, scope);

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSArray.cpp (214798 => 214799)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSArray.cpp	2017-04-03 16:10:45 UTC (rev 214798)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSArray.cpp	2017-04-03 16:11:27 UTC (rev 214799)
@@ -855,7 +855,12 @@
         if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
             return nullptr;
 
-        Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+        JSGlobalObject* lexicalGlobalObject = exec.lexicalGlobalObject();
+        Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+        if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType())))
+            return nullptr;
+
+        ASSERT(!lexicalGlobalObject->isHavingABadTime());
         JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
         if (UNLIKELY(!resultArray))
             return nullptr;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes