Changeset 158875 in webkit

Timestamp:

Nov 7, 2013 2:19:58 PM (10 years ago)

Author:

oliver@apple.com

Message:

Reproducible crash when using Map (affects Web Inspector)
​https://bugs.webkit.org/show_bug.cgi?id=123940

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Trivial fix. Once again we get bitten by attempting to be clever when
growing while adding entries to indexing maps.

Now we simply do a find(), and then add() _after_ we've ensured there is
sufficient space in the MapData list.

• runtime/MapData.cpp:

(JSC::MapData::add):

LayoutTests:

Add testcases

• js/map-grow-with-holes-expected.txt: Added.
• js/map-grow-with-holes.html: Added.
• js/script-tests/map-grow-with-holes.js: Added.

(get map):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/map-grow-with-holes-expected.txt (added)
• LayoutTests/js/map-grow-with-holes.html (added)
• LayoutTests/js/script-tests/map-grow-with-holes.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/MapData.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-11-07  Oliver Hunt  <oliver@apple.com>
+
+        Reproducible crash when using Map (affects Web Inspector)
+        https://bugs.webkit.org/show_bug.cgi?id=123940
+
+        Reviewed by Geoffrey Garen.
+
+        Add testcases
+
+        * js/map-grow-with-holes-expected.txt: Added.
+        * js/map-grow-with-holes.html: Added.
+        * js/script-tests/map-grow-with-holes.js: Added.
+        (get map):
+
 2013-11-07  Michał Pakuła vel Rutka  <m.pakula@samsung.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-11-07  Oliver Hunt  <oliver@apple.com>
+
+        Reproducible crash when using Map (affects Web Inspector)
+        https://bugs.webkit.org/show_bug.cgi?id=123940
+
+        Reviewed by Geoffrey Garen.
+
+        Trivial fix.  Once again we get bitten by attempting to be clever when
+        growing while adding entries to indexing maps.
+
+        Now we simply do a find(), and then add() _after_ we've ensured there is
+        sufficient space in the MapData list.
+
+        * runtime/MapData.cpp:
+        (JSC::MapData::add):
+
 2013-11-07  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/runtime/MapData.cpp

@@ -81 +81 @@
 template <typename Map, typename Key> MapData::Entry* MapData::add(CallFrame* callFrame, Map& map, Key key, KeyType keyValue)
 {
-    typename Map::AddResult result = map.add(key, m_size);
-    if (!result.isNewEntry)
-        return &m_entries[result.iterator->value];
-    if (!ensureSpaceForAppend(callFrame)) {
-        map.remove(result.iterator);
+    typename Map::iterator location = map.find(key);
+    if (location != map.end())
+        return &m_entries[location->value];
+    
+    if (!ensureSpaceForAppend(callFrame))
         return 0;
-    }
-
+
+    auto result = map.add(key, m_size);
+    RELEASE_ASSERT(result.isNewEntry);
     Entry* entry = &m_entries[m_size++];
     new (entry) Entry();