Changeset 218977 in webkit for trunk/Source/JavaScriptCore/runtime/JSArray.cpp

Timestamp:

Jun 29, 2017, 5:58:18 PM (8 years ago)

Author:

[email protected]

Message:

Calculating postCapacity in unshiftCountSlowCase is wrong
​https://bugs.webkit.org/show_bug.cgi?id=173992
<rdar://problem/32283199>

Reviewed by Keith Miller.

JSTests:

• stress/unshiftCountSlowCase-correct-postCapacity.js: Added.

(temp):

Source/JavaScriptCore:

This patch fixes a bug inside unshiftCountSlowCase where we would use
more memory than we allocated. The bug was when deciding how much extra
space we have after the vector we've allocated. This area is called the
postCapacity. The largest legal postCapacity value we could use is the
space we allocated minus the space we need:
largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
However, the code was calculating the postCapacity as:
postCapacity = max(newStorageCapacity - requiredVectorLength, count);

where count is how many elements we're appending. Depending on the inputs,
count could be larger than (newStorageCapacity - requiredVectorLength). This
would cause us to use more memory than we actually allocated.

• runtime/JSArray.cpp:

(JSC::JSArray::unshiftCountSlowCase):

File:

• trunk/Source/JavaScriptCore/runtime/JSArray.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -378 +378 @@
     unsigned postCapacity = 0;
     if (!addToFront)
-        postCapacity = max(newStorageCapacity - requiredVectorLength, count);
+        postCapacity = newStorageCapacity - requiredVectorLength;
     else if (length < storage->vectorLength()) {
         // Atomic decay, + the post-capacity cannot be greater than what is available.
@@ -387 +387 @@
 
     unsigned newVectorLength = requiredVectorLength + postCapacity;
+    RELEASE_ASSERT(newVectorLength <= MAX_STORAGE_VECTOR_LENGTH);
     unsigned newIndexBias = newStorageCapacity - newVectorLength;