Changeset 224055 in webkit for trunk/Source/JavaScriptCore/runtime/JSString.cpp

Timestamp:

Oct 26, 2017, 3:36:04 PM (8 years ago)

Author:

[email protected]

Message:

JSRopeString::RopeBuilder::append() should check for overflows.
​https://bugs.webkit.org/show_bug.cgi?id=178385
<rdar://problem/35027468>

Reviewed by Saam Barati.

JSTests:

• stress/regress-178385.js: Added.

Source/JavaScriptCore:

1. Made RopeString check for overflow like the Checked class does.
2. Added a missing overflow check in objectProtoFuncToString().

• runtime/JSString.cpp:

(JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
(JSC::JSRopeString::RopeBuilder::expand): Deleted.

• runtime/JSString.h:
• runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncToString):

• runtime/Operations.h:

(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):

Source/WTF:

• wtf/CheckedArithmetic.h:

File:

• trunk/Source/JavaScriptCore/runtime/JSString.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -41 +41 @@
 }
 
-void JSRopeString::RopeBuilder::expand()
-{
+template<>
+void JSRopeString::RopeBuilder<RecordOverflow>::expand()
+{
+    RELEASE_ASSERT(!this->hasOverflowed());
     ASSERT(m_index == JSRopeString::s_maxInternalRopeLength);
     JSString* jsString = m_jsString;
-    RELEASE_ASSERT(jsString);
     m_jsString = jsStringBuilder(&m_vm);
     m_index = 0;