Changeset 214313 in webkit for trunk/Source/JavaScriptCore/ftl


Ignore:
Timestamp:
Mar 23, 2017, 1:31:18 PM (8 years ago)
Author:
[email protected]
Message:

Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
https://bugs.webkit.org/show_bug.cgi?id=169783

Reviewed by Saam Barati.

JSTests:

  • stress/regress-169783.js: Added.

Source/JavaScriptCore:

Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
succeeds.

  • dfg/DFGOperations.cpp:
  • ftl/FTLOperations.cpp:

(JSC::FTL::operationMaterializeObjectInOSR):

  • runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncSplice):

  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/JSArray.cpp:

(JSC::JSArray::tryCreateForInitializationPrivate):
(JSC::JSArray::fastSlice):

  • runtime/JSArray.h:

(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):

  • runtime/RegExpMatchesArray.cpp:

(JSC::createEmptyRegExpMatchesArray):

  • runtime/RegExpMatchesArray.h:

(JSC::createRegExpMatchesArray):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

    r214071 r214313  
    364364            ASSERT(argumentCount > 0);
    365365            unsigned arraySize = (argumentCount - 1) > numberOfArgumentsToSkip ? argumentCount - 1 - numberOfArgumentsToSkip : 0;
     366
     367            // FIXME: we should throw an out of memory error here if tryCreateForInitializationPrivate() fails.
     368            // https://bugs.webkit.org/show_bug.cgi?id=169784
    366369            JSArray* array = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
    367370            RELEASE_ASSERT(array);
     
    453456        }
    454457
     458        // FIXME: we should throw an out of memory error here if checkedArraySize has hasOverflowed() or tryCreateForInitializationPrivate() fails.
     459        // https://bugs.webkit.org/show_bug.cgi?id=169784
    455460        unsigned arraySize = checkedArraySize.unsafeGet(); // Crashes if overflowed.
    456461        JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
Note: See TracChangeset for help on using the changeset viewer.