Diff
Modified: trunk/JSTests/ChangeLog (224783 => 224784)
--- trunk/JSTests/ChangeLog 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/JSTests/ChangeLog 2017-11-13 22:58:04 UTC (rev 224784)
@@ -1,5 +1,15 @@
2017-11-13 Mark Lam <[email protected]>
+ Add more overflow check book-keeping for MarkedArgumentBuffer.
+ https://bugs.webkit.org/show_bug.cgi?id=179634
+ <rdar://problem/35492517>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-179634.js: Added.
+
+2017-11-13 Mark Lam <[email protected]>
+
Make the jsc shell loadGetterFromGetterSetter() function more robust.
https://bugs.webkit.org/show_bug.cgi?id=179619
<rdar://problem/35492518>
Added: trunk/JSTests/stress/regress-179634.js (0 => 224784)
--- trunk/JSTests/stress/regress-179634.js (rev 0)
+++ trunk/JSTests/stress/regress-179634.js 2017-11-13 22:58:04 UTC (rev 224784)
@@ -0,0 +1,23 @@
+function foo() {
+ return {
+ get: function () { },
+ set: Object,
+ };
+}
+
+var exception;
+try {
+ Object.defineProperties({}, {
+ 2: foo(),
+ 0: foo(),
+ 1: foo(),
+ ' ': foo(),
+ 9: foo(),
+ B: 'B',
+ });
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "TypeError: Property description must be an object.")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (224783 => 224784)
--- trunk/Source/_javascript_Core/ChangeLog 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-11-13 22:58:04 UTC (rev 224784)
@@ -1,3 +1,20 @@
+2017-11-13 Mark Lam <[email protected]>
+
+ Add more overflow check book-keeping for MarkedArgumentBuffer.
+ https://bugs.webkit.org/show_bug.cgi?id=179634
+ <rdar://problem/35492517>
+
+ Reviewed by Saam Barati.
+
+ * runtime/ArgList.h:
+ (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
+ * runtime/JSJob.cpp:
+ (JSC::JSJobMicrotask::run):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::defineProperties):
+ * runtime/ReflectObject.cpp:
+ (JSC::reflectObjectConstruct):
+
2017-11-13 Guillaume Emont <[email protected]>
[JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
Modified: trunk/Source/_javascript_Core/runtime/ArgList.h (224783 => 224784)
--- trunk/Source/_javascript_Core/runtime/ArgList.h 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/_javascript_Core/runtime/ArgList.h 2017-11-13 22:58:04 UTC (rev 224784)
@@ -125,6 +125,8 @@
return Base::hasOverflowed();
}
+ void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); }
+
private:
void expandCapacity();
void expandCapacity(int newCapacity);
Modified: trunk/Source/_javascript_Core/runtime/JSJob.cpp (224783 => 224784)
--- trunk/Source/_javascript_Core/runtime/JSJob.cpp 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/_javascript_Core/runtime/JSJob.cpp 2017-11-13 22:58:04 UTC (rev 224784)
@@ -73,7 +73,7 @@
MarkedArgumentBuffer handlerArguments;
for (unsigned index = 0, length = m_arguments->length(); index < length; ++index) {
JSValue arg = m_arguments->JSArray::get(exec, index);
- CLEAR_AND_RETURN_IF_EXCEPTION(scope, void());
+ CLEAR_AND_RETURN_IF_EXCEPTION(scope, handlerArguments.overflowCheckNotNeeded());
handlerArguments.append(arg);
}
if (UNLIKELY(handlerArguments.hasOverflowed()))
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (224783 => 224784)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2017-11-13 22:58:04 UTC (rev 224784)
@@ -548,8 +548,10 @@
PropertyDescriptor descriptor;
bool success = toPropertyDescriptor(exec, prop, descriptor);
EXCEPTION_ASSERT(!scope.exception() || !success);
- if (UNLIKELY(!success))
+ if (UNLIKELY(!success)) {
+ markBuffer.overflowCheckNotNeeded();
return jsNull();
+ }
descriptors.append(descriptor);
// Ensure we mark all the values that we're accumulating
if (descriptor.isDataDescriptor() && descriptor.value())
Modified: trunk/Source/_javascript_Core/runtime/ReflectObject.cpp (224783 => 224784)
--- trunk/Source/_javascript_Core/runtime/ReflectObject.cpp 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/_javascript_Core/runtime/ReflectObject.cpp 2017-11-13 22:58:04 UTC (rev 224784)
@@ -120,7 +120,7 @@
arguments.append(value);
return false;
});
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ RETURN_IF_EXCEPTION(scope, (arguments.overflowCheckNotNeeded(), encodedJSValue()));
if (UNLIKELY(arguments.hasOverflowed())) {
throwOutOfMemoryError(exec, scope);
return encodedJSValue();
Modified: trunk/Source/WebKit/ChangeLog (224783 => 224784)
--- trunk/Source/WebKit/ChangeLog 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/WebKit/ChangeLog 2017-11-13 22:58:04 UTC (rev 224784)
@@ -1,3 +1,15 @@
+2017-11-13 Mark Lam <[email protected]>
+
+ Add more overflow check book-keeping for MarkedArgumentBuffer.
+ https://bugs.webkit.org/show_bug.cgi?id=179634
+ <rdar://problem/35492517>
+
+ Reviewed by Saam Barati.
+
+ * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+ (WebKit::NPJSObject::construct):
+ (WebKit::NPJSObject::invoke):
+
2017-11-13 Timothy Horton <[email protected]>
Address some post-landing review comments from r224728
Modified: trunk/Source/WebKit/WebProcess/Plugins/Netscape/NPJSObject.cpp (224783 => 224784)
--- trunk/Source/WebKit/WebProcess/Plugins/Netscape/NPJSObject.cpp 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/WebKit/WebProcess/Plugins/Netscape/NPJSObject.cpp 2017-11-13 22:58:04 UTC (rev 224784)
@@ -286,6 +286,7 @@
MarkedArgumentBuffer argumentList;
for (uint32_t i = 0; i < argumentCount; ++i)
argumentList.append(m_objectMap->convertNPVariantToJSValue(exec, m_objectMap->globalObject(), arguments[i]));
+ RELEASE_ASSERT(!argumentList.hasOverflowed());
JSValue value = JSC::construct(exec, m_jsObject.get(), constructType, constructData, argumentList);
@@ -310,6 +311,7 @@
MarkedArgumentBuffer argumentList;
for (uint32_t i = 0; i < argumentCount; ++i)
argumentList.append(m_objectMap->convertNPVariantToJSValue(exec, globalObject, arguments[i]));
+ RELEASE_ASSERT(!argumentList.hasOverflowed());
JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList);
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (224783 => 224784)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2017-11-13 22:58:04 UTC (rev 224784)
@@ -1,3 +1,16 @@
+2017-11-13 Mark Lam <[email protected]>
+
+ Add more overflow check book-keeping for MarkedArgumentBuffer.
+ https://bugs.webkit.org/show_bug.cgi?id=179634
+ <rdar://problem/35492517>
+
+ Reviewed by Saam Barati.
+
+ * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
+ (WebKit::NetscapePluginInstanceProxy::invoke):
+ (WebKit::NetscapePluginInstanceProxy::invokeDefault):
+ (WebKit::NetscapePluginInstanceProxy::construct):
+
2017-11-12 Darin Adler <[email protected]>
More is<> and downcast<>, less static_cast<>
Modified: trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (224783 => 224784)
--- trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm 2017-11-13 22:52:55 UTC (rev 224783)
+++ trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm 2017-11-13 22:58:04 UTC (rev 224784)
@@ -928,6 +928,7 @@
MarkedArgumentBuffer argList;
demarshalValues(exec, argumentsData, argumentsLength, argList);
+ RELEASE_ASSERT(!argList.hasOverflowed());
JSValue value = call(exec, function, callType, callData, object, argList);
@@ -963,6 +964,7 @@
MarkedArgumentBuffer argList;
demarshalValues(exec, argumentsData, argumentsLength, argList);
+ RELEASE_ASSERT(!argList.hasOverflowed());
JSValue value = call(exec, object, callType, callData, object, argList);
@@ -999,6 +1001,7 @@
MarkedArgumentBuffer argList;
demarshalValues(exec, argumentsData, argumentsLength, argList);
+ RELEASE_ASSERT(!argList.hasOverflowed());
JSValue value = JSC::construct(exec, object, constructType, constructData, argList);
