Merge r174122 - Label some asserts as having security implications.

<https://webkit.org/b/137260> Reviewed by Filip Pizlo. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::handleAssertionFailure): * runtime/JSCell.h: (JSC::jsCast): * runtime/StructureIDTable.h: (JSC::StructureIDTable::get): Canonical link: https://commits.webkit.org/154760.93@webkitgtk/2.6 git-svn-id: https://svn.webkit.org/repository/webkit/releases/WebKitGTK/webkit-2.6@174944 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 21, 2014 · 4383da1 · 4383da1
1 parent b0b6e76
commit 4383da1
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 4 deletions.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2014-09-30  Mark Lam  <mark.lam@apple.com>
+
+        Label some asserts as having security implications.
+        <https://webkit.org/b/137260>
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::handleAssertionFailure):
+        * runtime/JSCell.h:
+        (JSC::jsCast):
+        * runtime/StructureIDTable.h:
+        (JSC::StructureIDTable::get):
+
 2014-09-29  Filip Pizlo  <fpizlo@apple.com>
 
         DFG HasStructureProperty codegen should use one fewer registers

diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp b/Source/JavaScriptCore/dfg/DFGGraph.cpp
@@ -1195,7 +1195,7 @@ void Graph::handleAssertionFailure(
     dataLog("\n");
     dataLog("DFG ASSERTION FAILED: ", assertion, "\n");
     dataLog(file, "(", line, ") : ", function, "\n");
-    CRASH();
+    CRASH_WITH_SECURITY_IMPLICATION();
 }
 
 } } // namespace JSC::DFG

diff --git a/Source/JavaScriptCore/runtime/JSCell.h b/Source/JavaScriptCore/runtime/JSCell.h
@@ -234,14 +234,14 @@ class JSCell {
 template<typename To, typename From>
 inline To jsCast(From* from)
 {
-    ASSERT(!from || from->JSCell::inherits(std::remove_pointer<To>::type::info()));
+    ASSERT_WITH_SECURITY_IMPLICATION(!from || from->JSCell::inherits(std::remove_pointer<To>::type::info()));
     return static_cast<To>(from);
 }
 
 template<typename To>
 inline To jsCast(JSValue from)
 {
-    ASSERT(from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()));
+    ASSERT_WITH_SECURITY_IMPLICATION(from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()));
     return static_cast<To>(from.asCell());
 }
 

diff --git a/Source/JavaScriptCore/runtime/StructureIDTable.h b/Source/JavaScriptCore/runtime/StructureIDTable.h
@@ -83,7 +83,7 @@ class StructureIDTable {
 inline Structure* StructureIDTable::get(StructureID structureID)
 {
 #if USE(JSVALUE64)
-    ASSERT(structureID && structureID < m_capacity);
+    ASSERT_WITH_SECURITY_IMPLICATION(structureID && structureID < m_capacity);
     return table()[structureID].structure;
 #else
     return structureID;