Changeset 207377 in webkit


Ignore:
Timestamp:
Oct 15, 2016 1:56:24 PM (7 years ago)
Author:
sbarati@apple.com
Message:

Assertion failed under operationToLowerCase with a rope with zero length
https://bugs.webkit.org/show_bug.cgi?id=163314

Reviewed by Mark Lam.

JSTests:

  • stress/to-lower-case-intrinsic-on-empty-rope.js: Added.

(assert):
(returnRope.helper):
(returnRope):
(lower):

Source/JavaScriptCore:

There are some ways to get JSC to create empty rope strings. ToLowerCase
inside the DFG/FTL goes to the slow path when the argument is a rope.
operationToLowerCase was calling into a WTF string function that
assumed we are passing it a this value that has non-zero length.
However, we were calling it with a string that did have zero length.
To fix this, we make operationToLowerCase return the empty JSString
if it is going to make a string with zero length.

  • dfg/DFGOperations.cpp:
  • jsc.cpp:

(GlobalObject::finishCreation):
(functionIsRope):

Location:
trunk
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r207369 r207377  
     12016-10-15  Saam Barati  <sbarati@apple.com>
     2
     3        Assertion failed under operationToLowerCase with a rope with zero length
     4        https://bugs.webkit.org/show_bug.cgi?id=163314
     5
     6        Reviewed by Mark Lam.
     7
     8        * stress/to-lower-case-intrinsic-on-empty-rope.js: Added.
     9        (assert):
     10        (returnRope.helper):
     11        (returnRope):
     12        (lower):
     13
    1142016-10-14  Benjamin Poulain  <bpoulain@apple.com>
    215
  • trunk/Source/JavaScriptCore/ChangeLog

    r207369 r207377  
     12016-10-15  Saam Barati  <sbarati@apple.com>
     2
     3        Assertion failed under operationToLowerCase with a rope with zero length
     4        https://bugs.webkit.org/show_bug.cgi?id=163314
     5
     6        Reviewed by Mark Lam.
     7
     8        There are some ways to get JSC to create empty rope strings. ToLowerCase
     9        inside the DFG/FTL goes to the slow path when the argument is a rope.
     10        operationToLowerCase was calling into a WTF string function that
     11        assumed we are passing it a this value that has non-zero length.
     12        However, we were calling it with a string that did have zero length.
     13        To fix this, we make operationToLowerCase return the empty JSString
     14        if it is going to make a string with zero length.
     15
     16        * dfg/DFGOperations.cpp:
     17        * jsc.cpp:
     18        (GlobalObject::finishCreation):
     19        (functionIsRope):
     20
    1212016-10-14  Benjamin Poulain  <bpoulain@apple.com>
    222
  • trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

    r206804 r207377  
    15241524    const String& inputString = string->value(exec);
    15251525    RETURN_IF_EXCEPTION(scope, nullptr);
     1526    if (!inputString.length())
     1527        return vm.smallStrings.emptyString();
     1528
    15261529    String lowercasedString = inputString.is8Bit() ? inputString.convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit(failingIndex) : inputString.convertToLowercaseWithoutLocale();
    15271530    if (lowercasedString.impl() == inputString.impl())
  • trunk/Source/JavaScriptCore/jsc.cpp

    r207239 r207377  
    790790static EncodedJSValue JSC_HOST_CALL functionGetRandomSeed(ExecState*);
    791791static EncodedJSValue JSC_HOST_CALL functionSetRandomSeed(ExecState*);
     792static EncodedJSValue JSC_HOST_CALL functionIsRope(ExecState*);
    792793
    793794struct Script {
     
    10081009        addFunction(vm, "getRandomSeed", functionGetRandomSeed, 0);
    10091010        addFunction(vm, "setRandomSeed", functionSetRandomSeed, 1);
     1011        addFunction(vm, "isRope", functionIsRope, 1);
    10101012
    10111013        addFunction(vm, "is32BitPlatform", functionIs32BitPlatform, 0);
     
    18061808}
    18071809
     1810EncodedJSValue JSC_HOST_CALL functionIsRope(ExecState* exec)
     1811{
     1812    JSValue argument = exec->argument(0);
     1813    if (!argument.isString())
     1814        return JSValue::encode(jsBoolean(false));
     1815    const StringImpl* impl = jsCast<JSString*>(argument)->tryGetValueImpl();
     1816    return JSValue::encode(jsBoolean(!impl));
     1817}
     1818
    18081819EncodedJSValue JSC_HOST_CALL functionReadline(ExecState* exec)
    18091820{
Note: See TracChangeset for help on using the changeset viewer.