Changeset 62432 in webkit for trunk/JavaScriptCore/runtime/JSArray.cpp

Timestamp:

Jul 2, 2010, 9:52:45 PM (15 years ago)

Author:

[email protected]

Message:

Clamp the number of arguments supported by function.apply
​https://bugs.webkit.org/show_bug.cgi?id=41351
<rdar://problem/8142141>

Reviewed by Gavin Barraclough.

JavaScriptCore:

Add clamping logic to function.apply similar to that
enforced by firefox. We have a smaller clamp than
firefox as our calling convention means that stack
usage is proportional to argument count -- the firefox
limit is larger than you could actually call.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• runtime/Arguments.h:

(JSC::Arguments::):

LayoutTests:

Testcases.

• fast/js/function-apply-many-args-expected.txt: Added.
• fast/js/function-apply-many-args.html: Added.
• fast/js/script-tests/function-apply-many-args.js: Added.

File:

• trunk/JavaScriptCore/runtime/JSArray.cpp (modified) (2 diffs)

trunk/JavaScriptCore/runtime/JSArray.cpp

@@ -949 +949 @@
 void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize)
 {
-    ASSERT(m_storage->m_length == maxSize);
+    ASSERT(m_storage->m_length >= maxSize);
     UNUSED_PARAM(maxSize);
     JSValue* vector = m_storage->m_vector;
-    unsigned vectorEnd = min(m_storage->m_length, m_vectorLength);
+    unsigned vectorEnd = min(maxSize, m_vectorLength);
     unsigned i = 0;
     for (; i < vectorEnd; ++i) {
@@ -961 +961 @@
     }
 
-    for (; i < m_storage->m_length; ++i)
+    for (; i < maxSize; ++i)
         buffer[i] = get(exec, i);
 }