Skip to content
Permalink
Browse files
CachedCall (and its clients) needs overflow checks. 
https://bugs.webkit.org/show_bug.cgi?id=179185

Reviewed by JF Bastien.

JSTests:

* stress/regress-179185.js: Added.

Source/JavaScriptCore:

* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
(JSC::CachedCall::hasOverflowedArguments):
* runtime/ArgList.h:
(JSC::MarkedArgumentBuffer::clear):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):


Canonical link: https://commits.webkit.org/195337@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224399 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Mark Lam committed Nov 3, 2017
1 parent 20262b2 commit 90a321604e40ac89e6064cf4a5ad3a8ae77bacfe
9 JSTests/ChangeLog
View file
@@ -1,3 +1,12 @@
2017-11-03 Mark Lam <mark.lam@apple.com>

CachedCall (and its clients) needs overflow checks.
https://bugs.webkit.org/show_bug.cgi?id=179185

Reviewed by JF Bastien.

* stress/regress-179185.js: Added.

2017-11-02 Michael Saboff <msaboff@apple.com>

DFG needs to handle code motion of code in for..in loop bodies
3 JSTests/stress/regress-179185.js
View file
@@ -0,0 +1,3 @@
// This test passes if it does not fail assertions on a debug build.
str = "Hello There Quick Brown Fox";
str.replace(/(((el)|(ui))|((Br)|(Fo)))/g, () => { });
15 Source/JavaScriptCore/ChangeLog
View file
@@ -1,3 +1,18 @@
2017-11-03 Mark Lam <mark.lam@apple.com>

CachedCall (and its clients) needs overflow checks.
https://bugs.webkit.org/show_bug.cgi?id=179185

Reviewed by JF Bastien.

* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
(JSC::CachedCall::hasOverflowedArguments):
* runtime/ArgList.h:
(JSC::MarkedArgumentBuffer::clear):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):

2017-11-03 Devin Rousso <webkit@devinrousso.com>

Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
6 Source/JavaScriptCore/interpreter/CachedCall.h
View file
@@ -51,7 +51,10 @@ namespace JSC {
ASSERT(!function->isHostFunctionNonInline());
if (UNLIKELY(vm.isSafeToRecurseSoft())) {
m_arguments.ensureCapacity(argumentCount);
m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
if (LIKELY(!m_arguments.hasOverflowed()))
m_closure = m_interpreter->prepareForRepeatCall(function->jsExecutable(), callFrame, &m_protoCallFrame, function, argumentCount + 1, function->scope(), m_arguments);
else
throwOutOfMemoryError(callFrame, scope);
} else
throwStackOverflowError(callFrame, scope);
m_valid = !scope.exception();
@@ -67,6 +70,7 @@ namespace JSC {

void clearArguments() { m_arguments.clear(); }
void appendArgument(JSValue v) { m_arguments.append(v); }
bool hasOverflowedArguments() { return m_arguments.hasOverflowed(); }

private:
bool m_valid;
2 Source/JavaScriptCore/runtime/ArgList.h
View file
@@ -73,6 +73,8 @@ class MarkedArgumentBuffer : public RecordOverflow {

void clear()
{
ASSERT(!m_needsOverflowCheck);
clearOverflow();
m_size = 0;
}

10 Source/JavaScriptCore/runtime/StringPrototype.cpp
View file
@@ -598,6 +598,11 @@ static ALWAYS_INLINE EncodedJSValue replaceUsingRegExpSearch(
cachedCall.appendArgument(groups);

cachedCall.setThis(jsUndefined());
if (UNLIKELY(cachedCall.hasOverflowedArguments())) {
throwOutOfMemoryError(exec, scope);
return encodedJSValue();
}

JSValue jsResult = cachedCall.call();
RETURN_IF_EXCEPTION(scope, encodedJSValue());
replacements.append(jsResult.toWTFString(exec));
@@ -659,6 +664,11 @@ static ALWAYS_INLINE EncodedJSValue replaceUsingRegExpSearch(
cachedCall.appendArgument(groups);

cachedCall.setThis(jsUndefined());
if (UNLIKELY(cachedCall.hasOverflowedArguments())) {
throwOutOfMemoryError(exec, scope);
return encodedJSValue();
}

JSValue jsResult = cachedCall.call();
RETURN_IF_EXCEPTION(scope, encodedJSValue());
replacements.append(jsResult.toWTFString(exec));

0 comments on commit 90a3216

Please sign in to comment.