Title: [216076] trunk/Source/_javascript_Core
- Revision
- 216076
- Author
- [email protected]
- Date
- 2017-05-02 10:55:11 -0700 (Tue, 02 May 2017)
Log Message
JSFixedArray::allocationSize() should not allow for allocation failure.
https://bugs.webkit.org/show_bug.cgi?id=171516
Reviewed by Geoffrey Garen.
Since JSFixedArray::createFromArray() now handles allocation failures by throwing
OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
size to allocate) should also allow for allocation failure on overflow.
This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
run on 32-bit builds.
* runtime/JSFixedArray.h:
(JSC::JSFixedArray::tryCreate):
(JSC::JSFixedArray::allocationSize):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (216075 => 216076)
--- trunk/Source/_javascript_Core/ChangeLog 2017-05-02 17:49:39 UTC (rev 216075)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-05-02 17:55:11 UTC (rev 216076)
@@ -1,3 +1,21 @@
+2017-05-02 Mark Lam <[email protected]>
+
+ JSFixedArray::allocationSize() should not allow for allocation failure.
+ https://bugs.webkit.org/show_bug.cgi?id=171516
+
+ Reviewed by Geoffrey Garen.
+
+ Since JSFixedArray::createFromArray() now handles allocation failures by throwing
+ OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
+ size to allocate) should also allow for allocation failure on overflow.
+
+ This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
+ run on 32-bit builds.
+
+ * runtime/JSFixedArray.h:
+ (JSC::JSFixedArray::tryCreate):
+ (JSC::JSFixedArray::allocationSize):
+
2017-05-01 Zan Dobersek <[email protected]>
[aarch64][Linux] m_allowScratchRegister assert hit in MacroAssemblerARM64 under B3::Air::CCallSpecial::generate()
Modified: trunk/Source/_javascript_Core/runtime/JSFixedArray.h (216075 => 216076)
--- trunk/Source/_javascript_Core/runtime/JSFixedArray.h 2017-05-02 17:49:39 UTC (rev 216075)
+++ trunk/Source/_javascript_Core/runtime/JSFixedArray.h 2017-05-02 17:55:11 UTC (rev 216076)
@@ -122,7 +122,11 @@
ALWAYS_INLINE static JSFixedArray* tryCreate(VM& vm, Structure* structure, unsigned size)
{
- void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, allocationSize(size));
+ Checked<size_t, RecordOverflow> checkedAllocationSize = allocationSize(size);
+ if (UNLIKELY(checkedAllocationSize.hasOverflowed()))
+ return nullptr;
+
+ void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, checkedAllocationSize.unsafeGet());
if (UNLIKELY(!buffer))
return nullptr;
JSFixedArray* result = new (NotNull, buffer) JSFixedArray(vm, structure, size);
@@ -140,9 +144,9 @@
}
- static size_t allocationSize(Checked<size_t> numItems)
+ static Checked<size_t, RecordOverflow> allocationSize(Checked<size_t, RecordOverflow> numItems)
{
- return (offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>)).unsafeGet();
+ return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>);
}
};
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
