Changeset 229850 in webkit


Ignore:
Timestamp:
Mar 22, 2018 8:12:44 AM (6 years ago)
Author:
msaboff@apple.com
Message:

Race Condition in arrayProtoFuncReverse() causes wrong results or crash
https://bugs.webkit.org/show_bug.cgi?id=183901

Reviewed by Keith Miller.

JSTests:

New test.

  • stress/array-reverse-doesnt-clobber.js: Added.

(testArrayReverse):
(createArrayOfArrays):
(createArrayStorage):

Source/JavaScriptCore:

Added write barriers to ensure the reversed contents are properly marked.

  • runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncReverse):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r229842 r229850  
     12018-03-22  Michael Saboff  <msaboff@apple.com>
     2
     3        Race Condition in arrayProtoFuncReverse() causes wrong results or crash
     4        https://bugs.webkit.org/show_bug.cgi?id=183901
     5
     6        Reviewed by Keith Miller.
     7
     8        New test.
     9
     10        * stress/array-reverse-doesnt-clobber.js: Added.
     11        (testArrayReverse):
     12        (createArrayOfArrays):
     13        (createArrayStorage):
     14
    1152018-03-21  Filip Pizlo  <fpizlo@apple.com>
    216
  • trunk/Source/JavaScriptCore/ChangeLog

    r229842 r229850  
     12018-03-22  Michael Saboff  <msaboff@apple.com>
     2
     3        Race Condition in arrayProtoFuncReverse() causes wrong results or crash
     4        https://bugs.webkit.org/show_bug.cgi?id=183901
     5
     6        Reviewed by Keith Miller.
     7
     8        Added write barriers to ensure the reversed contents are properly marked.
     9
     10        * runtime/ArrayPrototype.cpp:
     11        (JSC::arrayProtoFuncReverse):
     12
    1132018-03-21  Filip Pizlo  <fpizlo@apple.com>
    214
  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r228576 r229850  
    840840            break;
    841841        std::reverse(data, data + length);
     842        if (!hasInt32(thisObject->indexingType()))
     843            vm.heap.writeBarrier(thisObject);
    842844        return JSValue::encode(thisObject);
    843845    }
     
    860862        auto data = storage.vector().data();
    861863        std::reverse(data, data + length);
     864        vm.heap.writeBarrier(thisObject);
    862865        return JSValue::encode(thisObject);
    863866    }
Note: See TracChangeset for help on using the changeset viewer.