Title: [139949] trunk/Source/_javascript_Core
- Revision
- 139949
- Author
- [email protected]
- Date
- 2013-01-16 18:32:37 -0800 (Wed, 16 Jan 2013)
Log Message
DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
https://bugs.webkit.org/show_bug.cgi?id=107081
Reviewed by Michael Saboff.
This bug led to the 32_64 backend emitting contiguous allocation code to allocate
ArrayStorage arrays. This then led to all manner of heap corruption, since
subsequent array accesses would be accessing the contiguous array "as if" it was
an arraystorage array.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (139948 => 139949)
--- trunk/Source/_javascript_Core/ChangeLog 2013-01-17 02:26:29 UTC (rev 139948)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-01-17 02:32:37 UTC (rev 139949)
@@ -1,3 +1,18 @@
+2013-01-16 Filip Pizlo <[email protected]>
+
+ DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
+ https://bugs.webkit.org/show_bug.cgi?id=107081
+
+ Reviewed by Michael Saboff.
+
+ This bug led to the 32_64 backend emitting contiguous allocation code to allocate
+ ArrayStorage arrays. This then led to all manner of heap corruption, since
+ subsequent array accesses would be accessing the contiguous array "as if" it was
+ an arraystorage array.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2013-01-16 Jonathan Liu <[email protected]>
Add missing sys/mman.h include on Mac
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (139948 => 139949)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2013-01-17 02:26:29 UTC (rev 139948)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2013-01-17 02:32:37 UTC (rev 139949)
@@ -3722,7 +3722,7 @@
case NewArrayWithSize: {
JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node.codeOrigin);
- if (!globalObject->isHavingABadTime()) {
+ if (!globalObject->isHavingABadTime() && !hasArrayStorage(node.indexingType())) {
globalObject->havingABadTimeWatchpoint()->add(speculationWatchpoint());
SpeculateStrictInt32Operand size(this, node.child1());
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
