[webkit-changes] [198478] trunk/Source/JavaScriptCore

Sun, 20 Mar 2016 16:09:11 -0700

Title: [198478] trunk/Source/_javascript_Core
Revision
198478
Author
[email protected]
Date
2016-03-20 16:08:51 -0700 (Sun, 20 Mar 2016)

Log Message

Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
https://bugs.webkit.org/show_bug.cgi?id=155679

Reviewed by Saam Barati.

Allocate out of line storage based on what the structure says it needs
in JSArray::tryCreateUninitialized.

* runtime/JSArray.h:
(JSC::JSArray::tryCreateUninitialized):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (198477 => 198478)


--- trunk/Source/_javascript_Core/ChangeLog	2016-03-20 22:42:32 UTC (rev 198477)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-03-20 23:08:51 UTC (rev 198478)
@@ -1,3 +1,16 @@
+2016-03-20  Michael Saboff  <[email protected]>
+
+        Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time
+        https://bugs.webkit.org/show_bug.cgi?id=155679
+
+        Reviewed by Saam Barati.
+
+        Allocate out of line storage based on what the structure says it needs
+        in JSArray::tryCreateUninitialized.
+
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreateUninitialized):
+
 2016-03-20  Joseph Pecoraro  <[email protected]>
 
         Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker

Modified: trunk/Source/_javascript_Core/runtime/JSArray.h (198477 => 198478)


--- trunk/Source/_javascript_Core/runtime/JSArray.h	2016-03-20 22:42:32 UTC (rev 198477)
+++ trunk/Source/_javascript_Core/runtime/JSArray.h	2016-03-20 23:08:51 UTC (rev 198478)
@@ -239,7 +239,9 @@
     unsigned vectorLength = std::max(BASE_VECTOR_LEN, initialLength);
     if (vectorLength > MAX_STORAGE_VECTOR_LENGTH)
         return 0;
-        
+
+    unsigned outOfLineStorage = structure->outOfLineCapacity();
+
     Butterfly* butterfly;
     if (LIKELY(!hasAnyArrayStorage(structure->indexingType()))) {
         ASSERT(
@@ -249,9 +251,9 @@
             || hasContiguous(structure->indexingType()));
 
         void* temp;
-        if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, 0, true, vectorLength * sizeof(EncodedJSValue)), &temp))
+        if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)), &temp))
             return 0;
-        butterfly = Butterfly::fromBase(temp, 0, 0);
+        butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
         butterfly->setVectorLength(vectorLength);
         butterfly->setPublicLength(initialLength);
         if (hasDouble(structure->indexingType())) {
@@ -260,9 +262,9 @@
         }
     } else {
         void* temp;
-        if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, 0, true, ArrayStorage::sizeFor(vectorLength)), &temp))
+        if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)), &temp))
             return 0;
-        butterfly = Butterfly::fromBase(temp, 0, 0);
+        butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
         *butterfly->indexingHeader() = indexingHeaderForArray(initialLength, vectorLength);
         ArrayStorage* storage = butterfly->arrayStorage();
         storage->m_indexBias = 0;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to