Ignore:
Timestamp:
Jul 7, 2020, 9:36:49 PM (5 years ago)
Author:
[email protected]
Message:

[JSC] BytecodeGenerator should be robust against failed constant generation
https://bugs.webkit.org/show_bug.cgi?id=214062
<rdar://problem/65117916>

Reviewed by Saam Barati.

JSTests:

  • stress/bigint-oom-in-codegen-array-literal-context.js: Added.

(shouldThrow):
(test):

  • stress/bigint-oom-in-codegen-binary-conditional-context.js: Added.

(shouldThrow):
(test):

  • stress/bigint-oom-in-codegen-conditional-context.js: Added.

(shouldThrow):
(test):

Source/JavaScriptCore:

Some code in NodesCodegen.cpp assumes jsValue(generator) call for constant nodes must succeed.
But this can fail when BigInt in source code is too large and becomes OOM. BytecodeGenerator should
be robust against BigInt OOM.

  • bytecompiler/NodesCodegen.cpp:

(JSC::ConstantNode::emitBytecodeInConditionContext):
(JSC::ArrayNode::emitBytecode):
(JSC::BinaryOpNode::tryFoldToBranch):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r263035 r264059  
    9999void ConstantNode::emitBytecodeInConditionContext(BytecodeGenerator& generator, Label& trueTarget, Label& falseTarget, FallThroughMode fallThroughMode)
    100100{
    101     TriState value = jsValue(generator).pureToBoolean();
     101    TriState value = TriState::Indeterminate;
     102    JSValue constant = jsValue(generator);
     103    if (LIKELY(constant))
     104        value = constant.pureToBoolean();
    102105
    103106    if (UNLIKELY(needsDebugHook())) {
     
    411414        if (!firstPutElement->value()->isConstant())
    412415            hadVariableExpression = true;
    413         else
    414             recommendedIndexingType = leastUpperBoundOfIndexingTypeAndValue(recommendedIndexingType, static_cast<ConstantNode*>(firstPutElement->value())->jsValue(generator));
     416        else {
     417            JSValue constant = static_cast<ConstantNode*>(firstPutElement->value())->jsValue(generator);
     418            if (UNLIKELY(!constant))
     419                hadVariableExpression = true;
     420            else
     421                recommendedIndexingType = leastUpperBoundOfIndexingTypeAndValue(recommendedIndexingType, constant);
     422        }
    415423
    416424        ++length;
     
    425433            for (ElementNode* element = elements; index < length; element = element->next()) {
    426434                ASSERT(element->value()->isConstant());
    427                 array->setIndex(generator.vm(), index++, static_cast<ConstantNode*>(element->value())->jsValue(generator));
     435                JSValue constant = static_cast<ConstantNode*>(element->value())->jsValue(generator);
     436                ASSERT(constant);
     437                array->setIndex(generator.vm(), index++, constant);
    428438            }
    429439            return generator.emitNewArrayBuffer(dst, array, recommendedIndexingType);
     
    27042714    OpcodeID opcodeID = this->opcodeID();
    27052715    JSValue value = constant->jsValue(generator);
     2716    if (UNLIKELY(!value))
     2717        return;
    27062718    bool canFoldToBranch = JSC::canFoldToBranch(opcodeID, branchExpression, value);
    27072719    if (!canFoldToBranch)
Note: See TracChangeset for help on using the changeset viewer.