Merge r222598 - JSArray::canFastCopy() should fail if the source and …

…destination arrays are the same. https://bugs.webkit.org/show_bug.cgi?id=177584 <rdar://problem/34463903> Reviewed by Saam Barati. JSTests: * stress/regress-177584.js: Added. (assertEqual): (Array.prototype.Symbol.species): Source/JavaScriptCore: If the source and destination arrays are the same, we may be copying overlapping regions. Hence, we need to take the slow path. * runtime/JSArrayInlines.h: (JSC::JSArray::canFastCopy):
WebKit · Oct 17, 2017 · dff69bc · dff69bc
1 parent c350fe8
commit dff69bc
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,15 @@
+2017-09-27  Mark Lam  <mark.lam@apple.com>
+
+        JSArray::canFastCopy() should fail if the source and destination arrays are the same.
+        https://bugs.webkit.org/show_bug.cgi?id=177584
+        <rdar://problem/34463903>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-177584.js: Added.
+        (assertEqual):
+        (Array.prototype.Symbol.species):
+
 2017-08-30  Saam Barati  <sbarati@apple.com>
 
         semicolon is being interpreted as an = in the LiteralParser

diff --git a/JSTests/stress/regress-177584.js b/JSTests/stress/regress-177584.js
@@ -0,0 +1,18 @@
+function assertEqual(actual, expected) {
+    if (actual != expected)
+        throw "Failed: actual: " + actual + ", expected: " + expected;
+}
+
+var a0 = [,,,,,,,,,,,,,];
+
+Array.prototype.constructor = {
+    [Symbol.species]: function() {
+        return a0;
+    }
+}
+
+var a1 = [1,2,3,4];
+var a2 = a1.concat(a0);
+
+assertEqual(a0, a2);
+assertEqual(a0, "1,2,3,4,1,2,3,4,1,2,3,4,1,2,3,4,1");
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2017-09-27  Mark Lam  <mark.lam@apple.com>
+
+        JSArray::canFastCopy() should fail if the source and destination arrays are the same.
+        https://bugs.webkit.org/show_bug.cgi?id=177584
+        <rdar://problem/34463903>
+
+        Reviewed by Saam Barati.
+
+        If the source and destination arrays are the same, we may be copying overlapping
+        regions.  Hence, we need to take the slow path.
+
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::canFastCopy):
+
 2017-09-20  Alberto Garcia  <berto@igalia.com>
 
         Fix HPPA and Alpha builds

diff --git a/Source/JavaScriptCore/runtime/JSArrayInlines.h b/Source/JavaScriptCore/runtime/JSArrayInlines.h
@@ -57,6 +57,8 @@ inline IndexingType JSArray::mergeIndexingTypeForCopying(IndexingType other)
 
 inline bool JSArray::canFastCopy(VM& vm, JSArray* otherArray)
 {
+    if (otherArray == this)
+        return false;
     if (hasAnyArrayStorage(indexingType()) || hasAnyArrayStorage(otherArray->indexingType()))
         return false;
     // FIXME: We should have a watchpoint for indexed properties on Array.prototype and Object.prototype