Diff
Modified: trunk/JSTests/ChangeLog (217868 => 217869)
--- trunk/JSTests/ChangeLog 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/JSTests/ChangeLog 2017-06-07 00:28:47 UTC (rev 217869)
@@ -1,3 +1,13 @@
+2017-06-06 Mark Lam <[email protected]>
+
+ Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
+ https://bugs.webkit.org/show_bug.cgi?id=173035
+ <rdar://problem/32554593>
+
+ Reviewed by Geoffrey Garen and Filip Pizlo.
+
+ * stress/regress-173035.js: Added.
+
2017-06-06 Saam Barati <[email protected]>
Make sure we restore SP when doing calls that could be to JS
Added: trunk/JSTests/stress/regress-173035.js (0 => 217869)
--- trunk/JSTests/stress/regress-173035.js (rev 0)
+++ trunk/JSTests/stress/regress-173035.js 2017-06-07 00:28:47 UTC (rev 217869)
@@ -0,0 +1,4 @@
+var a = [];
+for (var i=0; i<0x04001000; i++) a.push(i+0.1);
+a.length = 0x20000000;
+a.slice(0x1fffffff,0x20000000);
Modified: trunk/Source/_javascript_Core/ChangeLog (217868 => 217869)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-07 00:28:47 UTC (rev 217869)
@@ -1,3 +1,27 @@
+2017-06-06 Mark Lam <[email protected]>
+
+ Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
+ https://bugs.webkit.org/show_bug.cgi?id=173035
+ <rdar://problem/32554593>
+
+ Reviewed by Geoffrey Garen and Filip Pizlo.
+
+ Also added and fixed up some assertions.
+
+ * runtime/ArrayConventions.h:
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::setLength):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::createInitialIndexedStorage):
+ (JSC::JSObject::ensureLengthSlow):
+ (JSC::JSObject::reallocateAndShrinkButterfly):
+ * runtime/JSObject.h:
+ (JSC::JSObject::ensureLength):
+ * runtime/RegExpObject.cpp:
+ (JSC::collectMatches):
+ * runtime/RegExpPrototype.cpp:
+ (JSC::regExpProtoFuncSplitFast):
+
2017-06-06 Saam Barati <[email protected]>
Make sure we restore SP when doing calls that could be to JS
Modified: trunk/Source/_javascript_Core/runtime/ArrayConventions.h (217868 => 217869)
--- trunk/Source/_javascript_Core/runtime/ArrayConventions.h 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/runtime/ArrayConventions.h 2017-06-07 00:28:47 UTC (rev 217869)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten ([email protected])
- * Copyright (C) 2003, 2007, 2008, 2009, 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -69,6 +69,9 @@
// 0xFFFFFFFF is a bit weird -- is not an array index even though it's an integer.
#define MAX_ARRAY_INDEX 0xFFFFFFFEU
+static_assert(MIN_SPARSE_ARRAY_INDEX <= MAX_STORAGE_VECTOR_INDEX, "MIN_SPARSE_ARRAY_INDEX must be less than or equal to MAX_STORAGE_VECTOR_INDEX");
+static_assert(MAX_STORAGE_VECTOR_INDEX <= MAX_ARRAY_INDEX, "MAX_STORAGE_VECTOR_INDEX must be less than or equal to MAX_ARRAY_INDEX");
+
// The value BASE_XXX_VECTOR_LEN is the maximum number of vector elements we'll allocate
// for an array that was created with a sepcified length (e.g. a = new Array(123))
#define BASE_CONTIGUOUS_VECTOR_LEN 3U
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (217868 => 217869)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-06-07 00:28:47 UTC (rev 217869)
@@ -569,7 +569,7 @@
case ArrayWithContiguous: {
if (newLength == butterfly->publicLength())
return true;
- if (newLength >= MAX_ARRAY_INDEX // This case ensures that we can do fast push.
+ if (newLength > MAX_STORAGE_VECTOR_LENGTH // This check ensures that we can do fast push.
|| (newLength >= MIN_SPARSE_ARRAY_INDEX
&& !isDenseEnoughForVector(newLength, countElements()))) {
scope.release();
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (217868 => 217869)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-06-07 00:28:47 UTC (rev 217869)
@@ -1001,7 +1001,7 @@
Butterfly* JSObject::createInitialIndexedStorage(VM& vm, unsigned length)
{
- ASSERT(length < MAX_ARRAY_INDEX);
+ ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
IndexingType oldType = indexingType();
ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
ASSERT(!structure()->needsSlowPutIndexing());
@@ -3129,7 +3129,7 @@
{
Butterfly* butterfly = m_butterfly.get();
- ASSERT(length < MAX_ARRAY_INDEX);
+ ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
ASSERT(length > butterfly->vectorLength());
@@ -3181,8 +3181,7 @@
void JSObject::reallocateAndShrinkButterfly(VM& vm, unsigned length)
{
- ASSERT(length < MAX_ARRAY_INDEX);
- ASSERT(length < MAX_STORAGE_VECTOR_LENGTH);
+ ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
ASSERT(m_butterfly.get()->vectorLength() > length);
ASSERT(!m_butterfly.get()->indexingHeader()->preCapacity(structure()));
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (217868 => 217869)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2017-06-07 00:28:47 UTC (rev 217869)
@@ -967,7 +967,7 @@
// the array is contiguous.
bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length)
{
- ASSERT(length < MAX_ARRAY_INDEX);
+ ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
if (m_butterfly.get()->vectorLength() < length) {
Modified: trunk/Source/_javascript_Core/runtime/RegExpObject.cpp (217868 => 217869)
--- trunk/Source/_javascript_Core/runtime/RegExpObject.cpp 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/runtime/RegExpObject.cpp 2017-06-07 00:28:47 UTC (rev 217869)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten ([email protected])
- * Copyright (C) 2003, 2007-2008, 2012, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -204,7 +204,7 @@
unsigned matchCount = 0;
MatchResult savedResult = result;
do {
- if (array->length() + matchCount >= MAX_STORAGE_VECTOR_LENGTH) {
+ if (array->length() + matchCount > MAX_STORAGE_VECTOR_LENGTH) {
throwOutOfMemoryError(exec, scope);
return jsUndefined();
}
Modified: trunk/Source/_javascript_Core/runtime/RegExpPrototype.cpp (217868 => 217869)
--- trunk/Source/_javascript_Core/runtime/RegExpPrototype.cpp 2017-06-06 23:45:44 UTC (rev 217868)
+++ trunk/Source/_javascript_Core/runtime/RegExpPrototype.cpp 2017-06-07 00:28:47 UTC (rev 217869)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten ([email protected])
- * Copyright (C) 2003, 2007-2008, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -679,7 +679,7 @@
genericSplit(
vm, regexp, input, inputSize, position, matchPosition, regExpIsSticky, regExpIsUnicode,
[&] () -> SplitControl {
- if (resultLength + dryRunCount >= MAX_STORAGE_VECTOR_LENGTH)
+ if (resultLength + dryRunCount > MAX_STORAGE_VECTOR_LENGTH)
return AbortSplit;
return ContinueSplit;
},
@@ -690,7 +690,7 @@
return ContinueSplit;
});
- if (resultLength + dryRunCount >= MAX_STORAGE_VECTOR_LENGTH) {
+ if (resultLength + dryRunCount > MAX_STORAGE_VECTOR_LENGTH) {
throwOutOfMemoryError(exec, scope);
return encodedJSValue();
}
