Context Navigation

← Previous Changeset
Next Changeset →

Changeset 102709 in webkit

Timestamp:

Dec 13, 2011 3:17:43 PM (12 years ago)

Author:

oliver@apple.com

Message:

Arguments object doesn't handle mutation of length property correctly
https://bugs.webkit.org/show_bug.cgi?id=74454

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

Correct handling of arguments objects with overridden length property

interpreter/Interpreter.cpp:

(JSC::loadVarargs):

runtime/Arguments.cpp:

(JSC::Arguments::copyToArguments):
(JSC::Arguments::fillArgList):

LayoutTests:

Add tests of mutated arguments.length

fast/js/arguments-expected.txt:
fast/js/script-tests/arguments.js:

(argumentLengthIs5):
(duplicateArgumentAndReturnLast_call):
(duplicateArgumentAndReturnFirst_call):
(duplicateArgumentAndReturnLast_apply):
(duplicateArgumentAndReturnFirst_apply):

Location:

trunk

Files:

: 6 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/js/arguments-expected.txt (modified) (1 diff)
LayoutTests/fast/js/script-tests/arguments.js (modified) (2 diffs)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (3 diffs)
Source/JavaScriptCore/runtime/Arguments.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r102699
+                      r102709
+-12-13  Oliver Hunt  <oliver@apple.com>
+        Arguments object doesn't handle mutation of length property correctly
+        https://bugs.webkit.org/show_bug.cgi?id=74454
+        Reviewed by Gavin Barraclough.
+        Add tests of mutated arguments.length
+        * fast/js/arguments-expected.txt:
+        * fast/js/script-tests/arguments.js:
+        (argumentLengthIs5):
+        (duplicateArgumentAndReturnLast_call):
+        (duplicateArgumentAndReturnFirst_call):
+        (duplicateArgumentAndReturnLast_apply):
+        (duplicateArgumentAndReturnFirst_apply):
 -12-13  Vsevolod Vlasov  <vsevik@chromium.org>

trunk/LayoutTests/fast/js/arguments-expected.txt

-                      r97768
+                      r102709
 PASS access_4(1, 2, 3, 4, 5) is 4
 PASS access_5(1, 2, 3, 4, 5) is 5
+PASS argumentLengthIs5() is 5
+PASS argumentLengthIs5(1,2,3,4,5) is 5
+PASS argumentLengthIs5(1,2,3,4,5,6,7,8,9,10) is 5
+PASS duplicateArgumentAndReturnLast_call(1) is 1
+PASS duplicateArgumentAndReturnFirst_call(1) is 1
+PASS duplicateArgumentAndReturnLast_apply(1) is 1
+PASS duplicateArgumentAndReturnFirst_apply(1) is 1
 PASS tear_off_equal_access_1(1, 2, 3) is 1
 PASS tear_off_equal_access_2(1, 2, 3) is 2

trunk/LayoutTests/fast/js/script-tests/arguments.js

-                      r98407
+                      r102709
+{
     return arguments[4];
+}
+function argumentLengthIs5() {
+    arguments.length = 5;
+    return arguments.length;
+}
+function duplicateArgumentAndReturnLast_call(a) {
+    Array.prototype.push.call(arguments, a);
+    return arguments[1];
+}
+function duplicateArgumentAndReturnFirst_call(a) {
+    Array.prototype.push.call(arguments, a);
+    return arguments[0];
+}
+function duplicateArgumentAndReturnLast_apply(a) {
+    Array.prototype.push.apply(arguments, arguments);
+    return arguments[1];
+}
+function duplicateArgumentAndReturnFirst_apply(a) {
+    Array.prototype.push.apply(arguments, arguments);
+    return arguments[0];
+}
 …
 shouldBe("access_4(1, 2, 3, 4, 5)", "4");
 shouldBe("access_5(1, 2, 3, 4, 5)", "5");
+shouldBe("argumentLengthIs5()", "5");
+shouldBe("argumentLengthIs5(1,2,3,4,5)", "5");
+shouldBe("argumentLengthIs5(1,2,3,4,5,6,7,8,9,10)", "5");
+shouldBe("duplicateArgumentAndReturnLast_call(1)", "1");
+shouldBe("duplicateArgumentAndReturnFirst_call(1)", "1");
+shouldBe("duplicateArgumentAndReturnLast_apply(1)", "1");
+shouldBe("duplicateArgumentAndReturnFirst_apply(1)", "1");
 function f(a, b, c)

trunk/Source/JavaScriptCore/ChangeLog

-                      r102707
+                      r102709
+-12-13  Oliver Hunt  <oliver@apple.com>
+        Arguments object doesn't handle mutation of length property correctly
+        https://bugs.webkit.org/show_bug.cgi?id=74454
+        Reviewed by Gavin Barraclough.
+        Correct handling of arguments objects with overridden length property
+        * interpreter/Interpreter.cpp:
+        (JSC::loadVarargs):
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::copyToArguments):
+        (JSC::Arguments::fillArgList):
 -12-13  Filip Pizlo  <fpizlo@apple.com>

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

-                      r102545
+                      r102709
         Arguments* argsObject = asArguments(arguments);
         unsigned argCount = argsObject->length(callFrame);
         CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + argCount + 1 + RegisterFile::CallFrameHeaderSize);
+        CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + CallFrame::offsetFor(argCount + 1));
         if (argCount > Arguments::MaxArguments || !registerFile->grow(newCallFrame->registers())) {
             callFrame->globalData().exception = createStackOverflowError(callFrame);
 …
         JSArray* array = asArray(arguments);
         unsigned argCount = array->length();
         CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + argCount + 1 + RegisterFile::CallFrameHeaderSize);
+        CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + CallFrame::offsetFor(argCount + 1));
         if (argCount > Arguments::MaxArguments || !registerFile->grow(newCallFrame->registers())) {
             callFrame->globalData().exception = createStackOverflowError(callFrame);
 …
     JSObject* argObject = asObject(arguments);
     unsigned argCount = argObject->get(callFrame, callFrame->propertyNames().length).toUInt32(callFrame);
     CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + argCount + 1 + RegisterFile::CallFrameHeaderSize);
+    CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + firstFreeRegister + CallFrame::offsetFor(argCount + 1));
     if (argCount > Arguments::MaxArguments || !registerFile->grow(newCallFrame->registers())) {
         callFrame->globalData().exception = createStackOverflowError(callFrame);

trunk/Source/JavaScriptCore/runtime/Arguments.cpp

-                      r102545
+                      r102709
 void Arguments::copyToArguments(ExecState* exec, CallFrame* callFrame, uint32_t length)
+{
+    if (UNLIKELY(d->overrodeLength)) {
+        length = min(get(exec, exec->propertyNames().length).toUInt32(exec), length);
+        for (unsigned i = 0; i < length; i++)
+            callFrame->setArgument(i, get(exec, i));
+        return;
+    }
     ASSERT(length == this->length(exec));
     for (size_t i = 0; i < length; ++i) {
 …
 void Arguments::fillArgList(ExecState* exec, MarkedArgumentBuffer& args)
+{
+    if (UNLIKELY(d->overrodeLength)) {
+        unsigned length = get(exec, exec->propertyNames().length).toUInt32(exec);
+        for (unsigned i = 0; i < length; i++)
+            args.append(get(exec, i));
+        return;
+    }
     uint32_t length = this->length(exec);
     for (size_t i = 0; i < length; ++i) {

Note: See TracChangeset for help on using the changeset viewer.