Changeset 224784 in webkit
- Timestamp:
- Nov 13, 2017 2:58:04 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 10 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/regress-179634.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/runtime/ArgList.h (modified) (1 diff)
-
Source/JavaScriptCore/runtime/JSJob.cpp (modified) (1 diff)
-
Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
-
Source/JavaScriptCore/runtime/ReflectObject.cpp (modified) (1 diff)
-
Source/WebKit/ChangeLog (modified) (1 diff)
-
Source/WebKit/WebProcess/Plugins/Netscape/NPJSObject.cpp (modified) (2 diffs)
-
Source/WebKitLegacy/mac/ChangeLog (modified) (1 diff)
-
Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r224770 r224784 1 2017-11-13 Mark Lam <mark.lam@apple.com> 2 3 Add more overflow check book-keeping for MarkedArgumentBuffer. 4 https://bugs.webkit.org/show_bug.cgi?id=179634 5 <rdar://problem/35492517> 6 7 Reviewed by Saam Barati. 8 9 * stress/regress-179634.js: Added. 10 1 11 2017-11-13 Mark Lam <mark.lam@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r224783 r224784 1 2017-11-13 Mark Lam <mark.lam@apple.com> 2 3 Add more overflow check book-keeping for MarkedArgumentBuffer. 4 https://bugs.webkit.org/show_bug.cgi?id=179634 5 <rdar://problem/35492517> 6 7 Reviewed by Saam Barati. 8 9 * runtime/ArgList.h: 10 (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded): 11 * runtime/JSJob.cpp: 12 (JSC::JSJobMicrotask::run): 13 * runtime/ObjectConstructor.cpp: 14 (JSC::defineProperties): 15 * runtime/ReflectObject.cpp: 16 (JSC::reflectObjectConstruct): 17 1 18 2017-11-13 Guillaume Emont <guijemont@igalia.com> 2 19 -
trunk/Source/JavaScriptCore/runtime/ArgList.h
r224399 r224784 126 126 } 127 127 128 void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); } 129 128 130 private: 129 131 void expandCapacity(); -
trunk/Source/JavaScriptCore/runtime/JSJob.cpp
r224309 r224784 74 74 for (unsigned index = 0, length = m_arguments->length(); index < length; ++index) { 75 75 JSValue arg = m_arguments->JSArray::get(exec, index); 76 CLEAR_AND_RETURN_IF_EXCEPTION(scope, void());76 CLEAR_AND_RETURN_IF_EXCEPTION(scope, handlerArguments.overflowCheckNotNeeded()); 77 77 handlerArguments.append(arg); 78 78 } -
trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
r224487 r224784 549 549 bool success = toPropertyDescriptor(exec, prop, descriptor); 550 550 EXCEPTION_ASSERT(!scope.exception() || !success); 551 if (UNLIKELY(!success)) 551 if (UNLIKELY(!success)) { 552 markBuffer.overflowCheckNotNeeded(); 552 553 return jsNull(); 554 } 553 555 descriptors.append(descriptor); 554 556 // Ensure we mark all the values that we're accumulating -
trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp
r224309 r224784 121 121 return false; 122 122 }); 123 RETURN_IF_EXCEPTION(scope, encodedJSValue());123 RETURN_IF_EXCEPTION(scope, (arguments.overflowCheckNotNeeded(), encodedJSValue())); 124 124 if (UNLIKELY(arguments.hasOverflowed())) { 125 125 throwOutOfMemoryError(exec, scope); -
trunk/Source/WebKit/ChangeLog
r224782 r224784 1 2017-11-13 Mark Lam <mark.lam@apple.com> 2 3 Add more overflow check book-keeping for MarkedArgumentBuffer. 4 https://bugs.webkit.org/show_bug.cgi?id=179634 5 <rdar://problem/35492517> 6 7 Reviewed by Saam Barati. 8 9 * WebProcess/Plugins/Netscape/NPJSObject.cpp: 10 (WebKit::NPJSObject::construct): 11 (WebKit::NPJSObject::invoke): 12 1 13 2017-11-13 Timothy Horton <timothy_horton@apple.com> 2 14 -
trunk/Source/WebKit/WebProcess/Plugins/Netscape/NPJSObject.cpp
r222017 r224784 287 287 for (uint32_t i = 0; i < argumentCount; ++i) 288 288 argumentList.append(m_objectMap->convertNPVariantToJSValue(exec, m_objectMap->globalObject(), arguments[i])); 289 RELEASE_ASSERT(!argumentList.hasOverflowed()); 289 290 290 291 JSValue value = JSC::construct(exec, m_jsObject.get(), constructType, constructData, argumentList); … … 311 312 for (uint32_t i = 0; i < argumentCount; ++i) 312 313 argumentList.append(m_objectMap->convertNPVariantToJSValue(exec, globalObject, arguments[i])); 314 RELEASE_ASSERT(!argumentList.hasOverflowed()); 313 315 314 316 JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList); -
trunk/Source/WebKitLegacy/mac/ChangeLog
r224740 r224784 1 2017-11-13 Mark Lam <mark.lam@apple.com> 2 3 Add more overflow check book-keeping for MarkedArgumentBuffer. 4 https://bugs.webkit.org/show_bug.cgi?id=179634 5 <rdar://problem/35492517> 6 7 Reviewed by Saam Barati. 8 9 * Plugins/Hosted/NetscapePluginInstanceProxy.mm: 10 (WebKit::NetscapePluginInstanceProxy::invoke): 11 (WebKit::NetscapePluginInstanceProxy::invokeDefault): 12 (WebKit::NetscapePluginInstanceProxy::construct): 13 1 14 2017-11-12 Darin Adler <darin@apple.com> 2 15 -
trunk/Source/WebKitLegacy/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
r223149 r224784 929 929 MarkedArgumentBuffer argList; 930 930 demarshalValues(exec, argumentsData, argumentsLength, argList); 931 RELEASE_ASSERT(!argList.hasOverflowed()); 931 932 932 933 JSValue value = call(exec, function, callType, callData, object, argList); … … 964 965 MarkedArgumentBuffer argList; 965 966 demarshalValues(exec, argumentsData, argumentsLength, argList); 967 RELEASE_ASSERT(!argList.hasOverflowed()); 966 968 967 969 JSValue value = call(exec, object, callType, callData, object, argList); … … 1000 1002 MarkedArgumentBuffer argList; 1001 1003 demarshalValues(exec, argumentsData, argumentsLength, argList); 1004 RELEASE_ASSERT(!argList.hasOverflowed()); 1002 1005 1003 1006 JSValue value = JSC::construct(exec, object, constructType, constructData, argList);
Note: See TracChangeset
for help on using the changeset viewer.
