Title: [174122] trunk/Source/_javascript_Core
- Revision
- 174122
- Author
- [email protected]
- Date
- 2014-09-30 14:05:08 -0700 (Tue, 30 Sep 2014)
Log Message
Label some asserts as having security implications.
<https://webkit.org/b/137260>
Reviewed by Filip Pizlo.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::handleAssertionFailure):
* runtime/JSCell.h:
(JSC::jsCast):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::get):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (174121 => 174122)
--- trunk/Source/_javascript_Core/ChangeLog 2014-09-30 21:02:47 UTC (rev 174121)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-09-30 21:05:08 UTC (rev 174122)
@@ -1,3 +1,17 @@
+2014-09-30 Mark Lam <[email protected]>
+
+ Label some asserts as having security implications.
+ <https://webkit.org/b/137260>
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::handleAssertionFailure):
+ * runtime/JSCell.h:
+ (JSC::jsCast):
+ * runtime/StructureIDTable.h:
+ (JSC::StructureIDTable::get):
+
2014-09-30 Filip Pizlo <[email protected]>
REGRESSION (r174025): Invalid cast in JSC::asString
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (174121 => 174122)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2014-09-30 21:02:47 UTC (rev 174121)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2014-09-30 21:05:08 UTC (rev 174122)
@@ -1228,7 +1228,7 @@
dataLog("\n");
dataLog("DFG ASSERTION FAILED: ", assertion, "\n");
dataLog(file, "(", line, ") : ", function, "\n");
- CRASH();
+ CRASH_WITH_SECURITY_IMPLICATION();
}
} } // namespace JSC::DFG
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (174121 => 174122)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2014-09-30 21:02:47 UTC (rev 174121)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2014-09-30 21:05:08 UTC (rev 174122)
@@ -234,14 +234,14 @@
template<typename To, typename From>
inline To jsCast(From* from)
{
- ASSERT(!from || from->JSCell::inherits(std::remove_pointer<To>::type::info()));
+ ASSERT_WITH_SECURITY_IMPLICATION(!from || from->JSCell::inherits(std::remove_pointer<To>::type::info()));
return static_cast<To>(from);
}
template<typename To>
inline To jsCast(JSValue from)
{
- ASSERT(from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()));
+ ASSERT_WITH_SECURITY_IMPLICATION(from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()));
return static_cast<To>(from.asCell());
}
Modified: trunk/Source/_javascript_Core/runtime/StructureIDTable.h (174121 => 174122)
--- trunk/Source/_javascript_Core/runtime/StructureIDTable.h 2014-09-30 21:02:47 UTC (rev 174121)
+++ trunk/Source/_javascript_Core/runtime/StructureIDTable.h 2014-09-30 21:05:08 UTC (rev 174122)
@@ -83,7 +83,7 @@
inline Structure* StructureIDTable::get(StructureID structureID)
{
#if USE(JSVALUE64)
- ASSERT(structureID && structureID < m_capacity);
+ ASSERT_WITH_SECURITY_IMPLICATION(structureID && structureID < m_capacity);
return table()[structureID].structure;
#else
return structureID;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
