[webkit-changes] [154633] trunk

[mhahnenberg]

Title: [154633] trunk

Revision

154633

Author

mhahnenb...@apple.com

Date

2013-08-26 13:29:06 -0700 (Mon, 26 Aug 2013)

Log Message

JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
https://bugs.webkit.org/show_bug.cgi?id=120278

Reviewed by Geoffrey Garen.

Source/_javascript_Core: 

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

LayoutTests: 

* fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
* fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
* fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Added Paths

• trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt
• trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html
• trunk/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js

Diff

Modified: trunk/LayoutTests/ChangeLog (154632 => 154633)

--- trunk/LayoutTests/ChangeLog	2013-08-26 20:09:11 UTC (rev 154632)
+++ trunk/LayoutTests/ChangeLog	2013-08-26 20:29:06 UTC (rev 154633)
@@ -1,3 +1,14 @@
+2013-08-26  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
+        https://bugs.webkit.org/show_bug.cgi?id=120278
+
+        Reviewed by Geoffrey Garen.
+
+        * fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
+        * fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
+        * fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.
+
 2013-08-24  Sam Weinig  <s...@webkit.org>
 
         Add support for Promises

Added: trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt (0 => 154633)

--- trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt	2013-08-26 20:29:06 UTC (rev 154633)
@@ -0,0 +1,10 @@
+Make sure we don't crash when doing a put-direct-index beyond the vector length of a normal JSObject.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS o[0] is "foo"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html (0 => 154633)

--- trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html	2013-08-26 20:29:06 UTC (rev 154633)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js (0 => 154633)

--- trunk/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js	2013-08-26 20:29:06 UTC (rev 154633)
@@ -0,0 +1,8 @@
+description(
+"Make sure we don't crash when doing a put-direct-index beyond the vector length of a normal JSObject."
+);
+
+var o = {};
+for (var i = 0; i < 100005; i += 3)
+    Object.defineProperty(o, i, {enumerable:true, writable:true, configurable:true, value:"foo"});
+shouldBe("o[0]", "\"foo\""); 

Modified: trunk/Source/_javascript_Core/ChangeLog (154632 => 154633)

--- trunk/Source/_javascript_Core/ChangeLog	2013-08-26 20:09:11 UTC (rev 154632)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-26 20:29:06 UTC (rev 154633)
@@ -1,3 +1,13 @@
+2013-08-25  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
+        https://bugs.webkit.org/show_bug.cgi?id=120278
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+
 2013-08-26  Filip Pizlo  <fpi...@apple.com>
 
         Fix indention of Executable.h.

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (154632 => 154633)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2013-08-26 20:09:11 UTC (rev 154632)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2013-08-26 20:29:06 UTC (rev 154633)
@@ -2057,8 +2057,8 @@
         if (LIKELY(
                 !attributes
                 && (isDenseEnoughForVector(i, storage->m_numValuesInVector))
-                && increaseVectorLength(vm, i + 1)
-                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))) {
+                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))
+                && increaseVectorLength(vm, i + 1)) {
             // success! - reread m_storage since it has likely been reallocated, and store to the vector.
             storage = arrayStorage();
             storage->m_vector[i].set(vm, this, value);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes