Changeset 216076 in webkit
- Timestamp:
- May 2, 2017, 10:55:11 AM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
runtime/JSFixedArray.h (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r216058 r216076 1 2017-05-02 Mark Lam <mark.lam@apple.com> 2 3 JSFixedArray::allocationSize() should not allow for allocation failure. 4 https://bugs.webkit.org/show_bug.cgi?id=171516 5 6 Reviewed by Geoffrey Garen. 7 8 Since JSFixedArray::createFromArray() now handles allocation failures by throwing 9 OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer 10 size to allocate) should also allow for allocation failure on overflow. 11 12 This issue is covered by the stress/js-fixed-array-out-of-memory.js test when 13 run on 32-bit builds. 14 15 * runtime/JSFixedArray.h: 16 (JSC::JSFixedArray::tryCreate): 17 (JSC::JSFixedArray::allocationSize): 18 1 19 2017-05-01 Zan Dobersek <zdobersek@igalia.com> 2 20 -
trunk/Source/JavaScriptCore/runtime/JSFixedArray.h
r215919 r216076 123 123 ALWAYS_INLINE static JSFixedArray* tryCreate(VM& vm, Structure* structure, unsigned size) 124 124 { 125 void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, allocationSize(size)); 125 Checked<size_t, RecordOverflow> checkedAllocationSize = allocationSize(size); 126 if (UNLIKELY(checkedAllocationSize.hasOverflowed())) 127 return nullptr; 128 129 void* buffer = tryAllocateCell<JSFixedArray>(vm.heap, checkedAllocationSize.unsafeGet()); 126 130 if (UNLIKELY(!buffer)) 127 131 return nullptr; … … 141 145 142 146 143 static size_t allocationSize(Checked<size_t> numItems)147 static Checked<size_t, RecordOverflow> allocationSize(Checked<size_t, RecordOverflow> numItems) 144 148 { 145 return (offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>)).unsafeGet();149 return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>); 146 150 } 147 151 };
Note:
See TracChangeset
for help on using the changeset viewer.
