Context Navigation

FTLOperations.cpp

Timestamp:

Mar 16, 2017, 2:53:33 PM (8 years ago)

Author:

Message:

The new array with spread operation needs to check for length overflows.
https://bugs.webkit.org/show_bug.cgi?id=169780
<rdar://problem/31072182>

Reviewed by Filip Pizlo.

(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):

(JSC::FTL::operationMaterializeObjectInOSR):

(JSC::SLOW_PATH_DECL):

File:

-              r214040
+              r214071
 /*
  * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
         Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
         unsigned arraySize = 0;
+        Checked<unsigned, RecordOverflow> checkedArraySize = 0;
         unsigned numProperties = 0;
         for (unsigned i = materialization->properties().size(); i--;) {
 …
                 JSValue value = JSValue::decode(values[i]);
                 if (JSFixedArray* fixedArray = jsDynamicCast<JSFixedArray*>(vm, value))
                     arraySize += fixedArray->size();
+                    checkedArraySize += fixedArray->size();
                 else
+                    arraySize += 1;
+            }
+        }
+                    checkedArraySize += 1;
+            }
+        }
+        unsigned arraySize = checkedArraySize.unsafeGet(); // Crashes if overflowed.
         JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
         RELEASE_ASSERT(result);

Note: See TracChangeset for help on using the changeset viewer.