Changeset 186643 in webkit


Ignore:
Timestamp:
Jul 9, 2015 3:58:05 PM (9 years ago)
Author:
mark.lam@apple.com
Message:

SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
https://bugs.webkit.org/show_bug.cgi?id=146807

Reviewed by Filip Pizlo.

When we capture an argument by name and we use "arguments", we put all of the
arguments into the scope. But destructured arguments are put into the scope
anonymously i.e. the SymbolTable knows that the scope offset is in use via
SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
SymbolTable::m_map.

The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
have a size which is based on the largest ScopeOffset in the m_map. If we have a
scenario where the anonymous argument is at a higher ScopeOffset than all the
named arguments, then the m_localsToEntry vector will not have an entry for it
i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
the anonymous argument.

Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
within the bounds of the m_localToEntry vector before indexing into it.

  • runtime/SymbolTable.cpp:

(JSC::SymbolTable::entryFor):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r186606 r186643  
     12015-07-09  Mark Lam  <mark.lam@apple.com>
     2
     3        SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
     4        https://bugs.webkit.org/show_bug.cgi?id=146807
     5
     6        Reviewed by Filip Pizlo.
     7
     8        When we capture an argument by name and we use "arguments", we put all of the
     9        arguments into the scope.  But destructured arguments are put into the scope
     10        anonymously i.e. the SymbolTable knows that the scope offset is in use via
     11        SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
     12        SymbolTable::m_map.
     13
     14        The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
     15        have a size which is based on the largest ScopeOffset in the m_map.  If we have a
     16        scenario where the anonymous argument is at a higher ScopeOffset than all the
     17        named arguments, then the m_localsToEntry vector will not have an entry for it
     18        i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
     19        the anonymous argument.
     20
     21        Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
     22        within the bounds of the m_localToEntry vector before indexing into it.
     23
     24        * runtime/SymbolTable.cpp:
     25        (JSC::SymbolTable::entryFor):
     26
    1272015-07-09  Michael Saboff  <msaboff@apple.com>
    228

  • trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp

    r184828 r186643  
    131131SymbolTableEntry* SymbolTable::entryFor(const ConcurrentJITLocker& locker, ScopeOffset offset)
    132132{
    133     return localToEntry(locker)[offset.offset()];
     133    auto& toEntryVector = localToEntry(locker);
     134    if (offset.offset() >= toEntryVector.size())
     135        return nullptr;
     136    return toEntryVector[offset.offset()];
    134137}
    135138
Note: See TracChangeset for help on using the changeset viewer.