Title: [145482] trunk/Source/_javascript_Core
- Revision
- 145482
- Author
- [email protected]
- Date
- 2013-03-11 22:51:05 -0700 (Mon, 11 Mar 2013)
Log Message
Harden JSStringJoiner
https://bugs.webkit.org/show_bug.cgi?id=112093
Reviewed by Filip Pizlo.
Harden JSStringJoiner, make it use our CheckedArithmetic
class to simplify everything.
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::build):
* runtime/JSStringJoiner.h:
(JSStringJoiner):
(JSC::JSStringJoiner::JSStringJoiner):
(JSC::JSStringJoiner::append):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (145481 => 145482)
--- trunk/Source/_javascript_Core/ChangeLog 2013-03-12 05:45:19 UTC (rev 145481)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-03-12 05:51:05 UTC (rev 145482)
@@ -1,3 +1,20 @@
+2013-03-11 Oliver Hunt <[email protected]>
+
+ Harden JSStringJoiner
+ https://bugs.webkit.org/show_bug.cgi?id=112093
+
+ Reviewed by Filip Pizlo.
+
+ Harden JSStringJoiner, make it use our CheckedArithmetic
+ class to simplify everything.
+
+ * runtime/JSStringJoiner.cpp:
+ (JSC::JSStringJoiner::build):
+ * runtime/JSStringJoiner.h:
+ (JSStringJoiner):
+ (JSC::JSStringJoiner::JSStringJoiner):
+ (JSC::JSStringJoiner::append):
+
2013-03-11 Michael Saboff <[email protected]>
Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
Modified: trunk/Source/_javascript_Core/runtime/JSStringJoiner.cpp (145481 => 145482)
--- trunk/Source/_javascript_Core/runtime/JSStringJoiner.cpp 2013-03-12 05:45:19 UTC (rev 145481)
+++ trunk/Source/_javascript_Core/runtime/JSStringJoiner.cpp 2013-03-12 05:51:05 UTC (rev 145482)
@@ -102,20 +102,24 @@
if (!m_strings.size())
return jsEmptyString(exec);
- size_t separatorLength = m_separator.length();
+ Checked<size_t, RecordOverflow> separatorLength = m_separator.length();
// FIXME: add special cases of joinStrings() for (separatorLength == 0) and (separatorLength == 1).
ASSERT(m_strings.size() > 0);
- size_t totalSeparactorsLength = separatorLength * (m_strings.size() - 1);
- size_t outputStringSize = totalSeparactorsLength + m_cumulatedStringsLength;
+ Checked<size_t, RecordOverflow> totalSeparactorsLength = separatorLength * (m_strings.size() - 1);
+ Checked<size_t, RecordOverflow> outputStringSize = totalSeparactorsLength + m_accumulatedStringsLength;
+ size_t finalSize;
+ if (outputStringSize.safeGet(finalSize))
+ return throwOutOfMemoryError(exec);
+
if (!outputStringSize)
return jsEmptyString(exec);
RefPtr<StringImpl> outputStringImpl;
if (m_is8Bits)
- outputStringImpl = joinStrings<LChar>(m_strings, m_separator, outputStringSize);
+ outputStringImpl = joinStrings<LChar>(m_strings, m_separator, finalSize);
else
- outputStringImpl = joinStrings<UChar>(m_strings, m_separator, outputStringSize);
+ outputStringImpl = joinStrings<UChar>(m_strings, m_separator, finalSize);
if (!outputStringImpl)
return throwOutOfMemoryError(exec);
Modified: trunk/Source/_javascript_Core/runtime/JSStringJoiner.h (145481 => 145482)
--- trunk/Source/_javascript_Core/runtime/JSStringJoiner.h 2013-03-12 05:45:19 UTC (rev 145481)
+++ trunk/Source/_javascript_Core/runtime/JSStringJoiner.h 2013-03-12 05:51:05 UTC (rev 145482)
@@ -46,14 +46,13 @@
String m_separator;
Vector<String> m_strings;
- unsigned m_cumulatedStringsLength;
+ Checked<unsigned, RecordOverflow> m_accumulatedStringsLength;
bool m_isValid;
bool m_is8Bits;
};
inline JSStringJoiner::JSStringJoiner(const String& separator, size_t stringCount)
: m_separator(separator)
- , m_cumulatedStringsLength(0)
, m_isValid(true)
, m_is8Bits(m_separator.is8Bit())
{
@@ -66,9 +65,9 @@
if (!m_isValid)
return;
- m_strings.uncheckedAppend(str);
+ m_strings.append(str);
if (!str.isNull()) {
- m_cumulatedStringsLength += str.length();
+ m_accumulatedStringsLength += str.length();
m_is8Bits = m_is8Bits && str.is8Bit();
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
