Context Navigation

← Previous Changeset
Next Changeset →

Changeset 148130 in webkit

Timestamp:

Apr 10, 2013 1:01:14 PM (11 years ago)

Author:

msaboff@apple.com

Message:

DFG: Negative size for new Array() interpreted as large unsigned int
https://bugs.webkit.org/show_bug.cgi?id=114366

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

Added new check in operationNewArrayWithSize() for a negative
size. If size is negative throw a "RangeError: Array size is not a
small enough positive integer" exception.

dfg/DFGOperations.cpp:

LayoutTests:

New test to make sure DFG generated code for new Array() with a
computed negative size throws an exception.

fast/js/dfg-negative-array-size-expected.txt: Added.
fast/js/dfg-negative-array-size.html: Added.
fast/js/script-tests/dfg-negative-array-size.js: Added.

Location:

trunk

Files:

: 3 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/js/dfg-negative-array-size-expected.txt (added)
LayoutTests/fast/js/dfg-negative-array-size.html (added)
LayoutTests/fast/js/script-tests/dfg-negative-array-size.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r148121
+                      r148130
+-04-10  Michael Saboff  <msaboff@apple.com>
+        DFG: Negative size for new Array() interpreted as large unsigned int
+        https://bugs.webkit.org/show_bug.cgi?id=114366
+        Reviewed by Oliver Hunt.
+        New test to make sure DFG generated code for new Array() with a
+        computed negative size throws an exception.
+        * fast/js/dfg-negative-array-size-expected.txt: Added.
+        * fast/js/dfg-negative-array-size.html: Added.
+        * fast/js/script-tests/dfg-negative-array-size.js: Added.
 -04-10  Robert Hogan  <robert@webkit.org>

trunk/Source/JavaScriptCore/ChangeLog

-                      r148127
+                      r148130
+-04-10  Michael Saboff  <msaboff@apple.com>
+        DFG: Negative size for new Array() interpreted as large unsigned int
+        https://bugs.webkit.org/show_bug.cgi?id=114366
+        Reviewed by Oliver Hunt.
+        Added new check in operationNewArrayWithSize() for a negative
+        size.  If size is negative throw a "RangeError: Array size is not a
+        small enough positive integer" exception.
+        * dfg/DFGOperations.cpp:
 -04-10  peavo@outlook.com  <peavo@outlook.com>

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

-                      r147985
+                      r148130
     JSGlobalData* globalData = &exec->globalData();
     NativeCallFrameTracer tracer(globalData, exec);
+    if (size < 0)
+        return bitwise_cast<char*>(throwError(exec, createRangeError(exec, ASCIILiteral("Array size is not a small enough positive integer."))));
     return bitwise_cast<char*>(JSArray::create(*globalData, arrayStructure, size));
+}

Note: See TracChangeset for help on using the changeset viewer.