Changeset 51933 in webkit for trunk/JavaScriptCore
- Timestamp:
- Dec 9, 2009, 5:44:20 PM (15 years ago)
- Location:
- trunk/JavaScriptCore
- Files:
-
- 4 edited
-
ChangeLog (modified) (1 diff)
-
runtime/JSString.cpp (modified) (1 diff)
-
runtime/JSString.h (modified) (2 diffs)
-
runtime/Operations.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r51928 r51933 1 2009-12-09 Gavin Barraclough <[email protected]> 2 3 Reviewed by Oliver Hunt. 4 5 https://bugs.webkit.org/show_bug.cgi?id=32228 6 Make destruction of ropes non-recursive to prevent stack exhaustion. 7 Also, pass a UString& into initializeFiber rather than a Ustring::Rep*, 8 since the Rep is not being ref counted this could result in usage of a 9 Rep with refcount zero (where the Rep comes from a temporary UString 10 returned from a function). 11 12 * runtime/JSString.cpp: 13 (JSC::JSString::Rope::destructNonRecursive): 14 (JSC::JSString::Rope::~Rope): 15 * runtime/JSString.h: 16 (JSC::JSString::Rope::initializeFiber): 17 * runtime/Operations.h: 18 (JSC::concatenateStrings): 19 1 20 2009-12-09 Zoltan Herczeg <[email protected]> 2 21 -
trunk/JavaScriptCore/runtime/JSString.cpp
r51801 r51933 32 32 namespace JSC { 33 33 34 void JSString::Rope::destructNonRecursive() 35 { 36 Vector<Rope*, 32> workQueue; 37 Rope* rope = this; 38 39 while (true) { 40 unsigned length = rope->ropeLength(); 41 for (unsigned i = 0; i < length; ++i) { 42 Fiber& fiber = rope->fibers(i); 43 if (fiber.isString()) 44 fiber.string()->deref(); 45 else { 46 Rope* nextRope = fiber.rope(); 47 if (nextRope->hasOneRef()) 48 workQueue.append(nextRope); 49 else 50 nextRope->deref(); 51 } 52 } 53 if (rope != this) 54 fastFree(rope); 55 56 if (workQueue.isEmpty()) 57 return; 58 59 rope = workQueue.last(); 60 workQueue.removeLast(); 61 } 62 } 63 34 64 JSString::Rope::~Rope() 35 65 { 36 for (unsigned i = 0; i < m_ropeLength; ++i) { 37 Fiber& fiber = m_fibers[i]; 38 if (fiber.isRope()) 39 fiber.rope()->deref(); 40 else 41 fiber.string()->deref(); 42 fiber = Fiber(reinterpret_cast<UString::Rep*>(0xfeedbeee)); 43 } 66 destructNonRecursive(); 44 67 } 45 68 -
trunk/JavaScriptCore/runtime/JSString.h
r51801 r51933 96 96 97 97 ~Rope(); 98 99 void initializeFiber(unsigned index, UString::Rep* string) 98 void destructNonRecursive(); 99 100 void initializeFiber(unsigned index, const UString& string) 100 101 { 101 string->ref(); 102 m_fibers[index] = Fiber(string); 103 m_stringLength += string->len; 102 UString::Rep* rep = string.rep(); 103 rep->ref(); 104 m_fibers[index] = Fiber(rep); 105 m_stringLength += rep->len; 104 106 } 105 107 void initializeFiber(unsigned index, Rope* rope) … … 114 116 initializeFiber(index, jsString->rope()); 115 117 else 116 initializeFiber(index, jsString->string() .rep());118 initializeFiber(index, jsString->string()); 117 119 } 118 120 -
trunk/JavaScriptCore/runtime/Operations.h
r51801 r51933 318 318 rope->initializeFiber(i, asString(v)); 319 319 else 320 rope->initializeFiber(i, v.toString(callFrame) .rep());320 rope->initializeFiber(i, v.toString(callFrame)); 321 321 } 322 322
Note:
See TracChangeset
for help on using the changeset viewer.
