Ignore:
Timestamp:
Dec 13, 2011, 3:17:43 PM (13 years ago)
Author:
[email protected]
Message:

Arguments object doesn't handle mutation of length property correctly
https://bugs.webkit.org/show_bug.cgi?id=74454

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

Correct handling of arguments objects with overridden length property

  • interpreter/Interpreter.cpp:

(JSC::loadVarargs):

  • runtime/Arguments.cpp:

(JSC::Arguments::copyToArguments):
(JSC::Arguments::fillArgList):

LayoutTests:

Add tests of mutated arguments.length

  • fast/js/arguments-expected.txt:
  • fast/js/script-tests/arguments.js:

(argumentLengthIs5):
(duplicateArgumentAndReturnLast_call):
(duplicateArgumentAndReturnFirst_call):
(duplicateArgumentAndReturnLast_apply):
(duplicateArgumentAndReturnFirst_apply):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

    r102545 r102709  
    496496        Arguments* argsObject = asArguments(arguments);
    497497        unsigned argCount = argsObject->length(callFrame);
    498         CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + argCount + 1 + RegisterFile::CallFrameHeaderSize);
     498        CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + CallFrame::offsetFor(argCount + 1));
    499499        if (argCount > Arguments::MaxArguments || !registerFile->grow(newCallFrame->registers())) {
    500500            callFrame->globalData().exception = createStackOverflowError(callFrame);
     
    510510        JSArray* array = asArray(arguments);
    511511        unsigned argCount = array->length();
    512         CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + argCount + 1 + RegisterFile::CallFrameHeaderSize);
     512        CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + CallFrame::offsetFor(argCount + 1));
    513513        if (argCount > Arguments::MaxArguments || !registerFile->grow(newCallFrame->registers())) {
    514514            callFrame->globalData().exception = createStackOverflowError(callFrame);
     
    523523    JSObject* argObject = asObject(arguments);
    524524    unsigned argCount = argObject->get(callFrame, callFrame->propertyNames().length).toUInt32(callFrame);
    525     CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + argCount + 1 + RegisterFile::CallFrameHeaderSize);
     525    CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + CallFrame::offsetFor(argCount + 1));
    526526    if (argCount > Arguments::MaxArguments || !registerFile->grow(newCallFrame->registers())) {
    527527        callFrame->globalData().exception = createStackOverflowError(callFrame);
Note: See TracChangeset for help on using the changeset viewer.