From dff69bcae9c0657308288900c95d9922d497f0ed Mon Sep 17 00:00:00 2001 From: Mark Lam Date: Tue, 17 Oct 2017 07:04:00 +0000 Subject: [PATCH] Merge r222598 - JSArray::canFastCopy() should fail if the source and destination arrays are the same. https://bugs.webkit.org/show_bug.cgi?id=177584 Reviewed by Saam Barati. JSTests: * stress/regress-177584.js: Added. (assertEqual): (Array.prototype.Symbol.species): Source/JavaScriptCore: If the source and destination arrays are the same, we may be copying overlapping regions. Hence, we need to take the slow path. * runtime/JSArrayInlines.h: (JSC::JSArray::canFastCopy): --- JSTests/ChangeLog | 12 ++++++++++++ JSTests/stress/regress-177584.js | 18 ++++++++++++++++++ Source/JavaScriptCore/ChangeLog | 14 ++++++++++++++ Source/JavaScriptCore/runtime/JSArrayInlines.h | 2 ++ 4 files changed, 46 insertions(+) create mode 100644 JSTests/stress/regress-177584.js diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog index de6a74d115d9..cb8830065c6a 100644 --- a/JSTests/ChangeLog +++ b/JSTests/ChangeLog @@ -1,3 +1,15 @@ +2017-09-27 Mark Lam + + JSArray::canFastCopy() should fail if the source and destination arrays are the same. + https://bugs.webkit.org/show_bug.cgi?id=177584 + + + Reviewed by Saam Barati. + + * stress/regress-177584.js: Added. + (assertEqual): + (Array.prototype.Symbol.species): + 2017-08-30 Saam Barati semicolon is being interpreted as an = in the LiteralParser diff --git a/JSTests/stress/regress-177584.js b/JSTests/stress/regress-177584.js new file mode 100644 index 000000000000..990dca75f760 --- /dev/null +++ b/JSTests/stress/regress-177584.js @@ -0,0 +1,18 @@ +function assertEqual(actual, expected) { + if (actual != expected) + throw "Failed: actual: " + actual + ", expected: " + expected; +} + +var a0 = [,,,,,,,,,,,,,]; + +Array.prototype.constructor = { + [Symbol.species]: function() { + return a0; + } +} + +var a1 = [1,2,3,4]; +var a2 = a1.concat(a0); + +assertEqual(a0, a2); +assertEqual(a0, "1,2,3,4,1,2,3,4,1,2,3,4,1,2,3,4,1"); diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 84b7fe2ffb09..6e2ca2facd41 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,17 @@ +2017-09-27 Mark Lam + + JSArray::canFastCopy() should fail if the source and destination arrays are the same. + https://bugs.webkit.org/show_bug.cgi?id=177584 + + + Reviewed by Saam Barati. + + If the source and destination arrays are the same, we may be copying overlapping + regions. Hence, we need to take the slow path. + + * runtime/JSArrayInlines.h: + (JSC::JSArray::canFastCopy): + 2017-09-20 Alberto Garcia Fix HPPA and Alpha builds diff --git a/Source/JavaScriptCore/runtime/JSArrayInlines.h b/Source/JavaScriptCore/runtime/JSArrayInlines.h index c673bbceeb5f..78153698b265 100644 --- a/Source/JavaScriptCore/runtime/JSArrayInlines.h +++ b/Source/JavaScriptCore/runtime/JSArrayInlines.h @@ -57,6 +57,8 @@ inline IndexingType JSArray::mergeIndexingTypeForCopying(IndexingType other) inline bool JSArray::canFastCopy(VM& vm, JSArray* otherArray) { + if (otherArray == this) + return false; if (hasAnyArrayStorage(indexingType()) || hasAnyArrayStorage(otherArray->indexingType())) return false; // FIXME: We should have a watchpoint for indexed properties on Array.prototype and Object.prototype