Changeset 224309 in webkit
- Timestamp:
- Nov 1, 2017 6:54:43 PM (6 years ago)
- Location:
- trunk/Source
- Files:
-
- 67 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/API/JSObjectRef.cpp
r223746 r224309 152 152 args.append(jsString(exec, parameterNames[i]->string())); 153 153 args.append(jsString(exec, body->string())); 154 if (UNLIKELY(args.hasOverflowed())) { 155 auto throwScope = DECLARE_THROW_SCOPE(vm); 156 throwOutOfMemoryError(exec, throwScope); 157 handleExceptionIfNeeded(scope, exec, exception); 158 return 0; 159 } 154 160 155 161 auto sourceURLString = sourceURL ? sourceURL->string() : String(); … … 176 182 for (size_t i = 0; i < argumentCount; ++i) 177 183 argList.append(toJS(exec, arguments[i])); 184 if (UNLIKELY(argList.hasOverflowed())) { 185 auto throwScope = DECLARE_THROW_SCOPE(vm); 186 throwOutOfMemoryError(exec, throwScope); 187 handleExceptionIfNeeded(scope, exec, exception); 188 return 0; 189 } 178 190 179 191 result = constructArray(exec, static_cast<ArrayAllocationProfile*>(0), argList); … … 201 213 for (size_t i = 0; i < argumentCount; ++i) 202 214 argList.append(toJS(exec, arguments[i])); 215 if (UNLIKELY(argList.hasOverflowed())) { 216 auto throwScope = DECLARE_THROW_SCOPE(vm); 217 throwOutOfMemoryError(exec, throwScope); 218 handleExceptionIfNeeded(scope, exec, exception); 219 return 0; 220 } 203 221 204 222 JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), JSValue(), argList); … … 244 262 for (size_t i = 0; i < argumentCount; ++i) 245 263 argList.append(toJS(exec, arguments[i])); 264 if (UNLIKELY(argList.hasOverflowed())) { 265 auto throwScope = DECLARE_THROW_SCOPE(vm); 266 throwOutOfMemoryError(exec, throwScope); 267 handleExceptionIfNeeded(scope, exec, exception); 268 return 0; 269 } 246 270 247 271 JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList); … … 582 606 for (size_t i = 0; i < argumentCount; i++) 583 607 argList.append(toJS(exec, arguments[i])); 608 if (UNLIKELY(argList.hasOverflowed())) { 609 auto throwScope = DECLARE_THROW_SCOPE(vm); 610 throwOutOfMemoryError(exec, throwScope); 611 handleExceptionIfNeeded(scope, exec, exception); 612 return 0; 613 } 584 614 585 615 CallData callData; … … 623 653 for (size_t i = 0; i < argumentCount; i++) 624 654 argList.append(toJS(exec, arguments[i])); 655 if (UNLIKELY(argList.hasOverflowed())) { 656 auto throwScope = DECLARE_THROW_SCOPE(vm); 657 throwOutOfMemoryError(exec, throwScope); 658 handleExceptionIfNeeded(scope, exec, exception); 659 return 0; 660 } 625 661 626 662 JSObjectRef result = toRef(profiledConstruct(exec, ProfilingReason::API, jsObject, constructType, constructData, argList)); -
trunk/Source/JavaScriptCore/ChangeLog
r224302 r224309 1 2017-11-01 Mark Lam <mark.lam@apple.com> 2 3 Add support to throw OOM if MarkedArgumentBuffer may overflow. 4 https://bugs.webkit.org/show_bug.cgi?id=179092 5 <rdar://problem/35116160> 6 7 Reviewed by Saam Barati. 8 9 The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long 10 time, which renders it unsuitable for automated tests. Instead, I've run a 11 test manually to verify that an OutOfMemoryError will be thrown when an overflow 12 occurs. 13 14 The MarkedArgumentBuffer's destructor will now assert that the client has indeed 15 checked for an overflow after invoking methods that may result in an overflow i.e. 16 the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called. 17 This is only done on debug builds. 18 19 * API/JSObjectRef.cpp: 20 (JSObjectMakeFunction): 21 (JSObjectMakeArray): 22 (JSObjectMakeDate): 23 (JSObjectMakeRegExp): 24 (JSObjectCallAsFunction): 25 (JSObjectCallAsConstructor): 26 * dfg/DFGOperations.cpp: 27 * inspector/InjectedScriptManager.cpp: 28 (Inspector::InjectedScriptManager::createInjectedScript): 29 * inspector/JSJavaScriptCallFrame.cpp: 30 (Inspector::JSJavaScriptCallFrame::scopeChain const): 31 * interpreter/Interpreter.cpp: 32 (JSC::Interpreter::executeProgram): 33 * jsc.cpp: 34 (functionDollarAgentReceiveBroadcast): 35 * runtime/ArgList.cpp: 36 (JSC::MarkedArgumentBuffer::slowEnsureCapacity): 37 (JSC::MarkedArgumentBuffer::expandCapacity): 38 (JSC::MarkedArgumentBuffer::slowAppend): 39 * runtime/ArgList.h: 40 (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer): 41 (JSC::MarkedArgumentBuffer::appendWithAction): 42 (JSC::MarkedArgumentBuffer::append): 43 (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow): 44 (JSC::MarkedArgumentBuffer::hasOverflowed): 45 (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck): 46 (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck): 47 * runtime/ArrayPrototype.cpp: 48 * runtime/CommonSlowPaths.cpp: 49 (JSC::SLOW_PATH_DECL): 50 * runtime/GetterSetter.cpp: 51 (JSC::callSetter): 52 * runtime/IteratorOperations.cpp: 53 (JSC::iteratorNext): 54 (JSC::iteratorClose): 55 * runtime/JSBoundFunction.cpp: 56 (JSC::boundThisNoArgsFunctionCall): 57 (JSC::boundFunctionCall): 58 (JSC::boundThisNoArgsFunctionConstruct): 59 (JSC::boundFunctionConstruct): 60 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 61 (JSC::constructGenericTypedArrayViewFromIterator): 62 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: 63 (JSC::genericTypedArrayViewProtoFuncSlice): 64 (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): 65 * runtime/JSGlobalObject.cpp: 66 (JSC::JSGlobalObject::haveABadTime): 67 * runtime/JSInternalPromise.cpp: 68 (JSC::JSInternalPromise::then): 69 * runtime/JSJob.cpp: 70 (JSC::JSJobMicrotask::run): 71 * runtime/JSMapIterator.cpp: 72 (JSC::JSMapIterator::createPair): 73 * runtime/JSModuleLoader.cpp: 74 (JSC::JSModuleLoader::provideFetch): 75 (JSC::JSModuleLoader::loadAndEvaluateModule): 76 (JSC::JSModuleLoader::loadModule): 77 (JSC::JSModuleLoader::linkAndEvaluateModule): 78 (JSC::JSModuleLoader::requestImportModule): 79 * runtime/JSONObject.cpp: 80 (JSC::Stringifier::toJSONImpl): 81 (JSC::Stringifier::appendStringifiedValue): 82 (JSC::Walker::callReviver): 83 * runtime/JSObject.cpp: 84 (JSC::ordinarySetSlow): 85 (JSC::callToPrimitiveFunction): 86 (JSC::JSObject::hasInstance): 87 * runtime/JSPromise.cpp: 88 (JSC::JSPromise::initialize): 89 (JSC::JSPromise::resolve): 90 * runtime/JSPromiseDeferred.cpp: 91 (JSC::newPromiseCapability): 92 (JSC::callFunction): 93 * runtime/JSSetIterator.cpp: 94 (JSC::JSSetIterator::createPair): 95 * runtime/LiteralParser.cpp: 96 (JSC::LiteralParser<CharType>::parse): 97 * runtime/MapConstructor.cpp: 98 (JSC::constructMap): 99 * runtime/ObjectConstructor.cpp: 100 (JSC::defineProperties): 101 * runtime/ProxyObject.cpp: 102 (JSC::performProxyGet): 103 (JSC::ProxyObject::performInternalMethodGetOwnProperty): 104 (JSC::ProxyObject::performHasProperty): 105 (JSC::ProxyObject::performPut): 106 (JSC::performProxyCall): 107 (JSC::performProxyConstruct): 108 (JSC::ProxyObject::performDelete): 109 (JSC::ProxyObject::performPreventExtensions): 110 (JSC::ProxyObject::performIsExtensible): 111 (JSC::ProxyObject::performDefineOwnProperty): 112 (JSC::ProxyObject::performGetOwnPropertyNames): 113 (JSC::ProxyObject::performSetPrototype): 114 (JSC::ProxyObject::performGetPrototype): 115 * runtime/ReflectObject.cpp: 116 (JSC::reflectObjectConstruct): 117 * runtime/SetConstructor.cpp: 118 (JSC::constructSet): 119 * runtime/StringPrototype.cpp: 120 (JSC::replaceUsingRegExpSearch): 121 (JSC::replaceUsingStringSearch): 122 * runtime/WeakMapConstructor.cpp: 123 (JSC::constructWeakMap): 124 * runtime/WeakSetConstructor.cpp: 125 (JSC::constructWeakSet): 126 * wasm/js/WasmToJS.cpp: 127 (JSC::Wasm::wasmToJS): 128 1 129 2017-11-01 Michael Saboff <msaboff@apple.com> 2 130 -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r224280 r224309 2407 2407 MarkedArgumentBuffer arguments; 2408 2408 arguments.append(iterable); 2409 ASSERT(!arguments.hasOverflowed()); 2409 2410 JSValue arrayResult = call(exec, iterationFunction, callType, callData, jsNull(), arguments); 2410 2411 RETURN_IF_EXCEPTION(throwScope, nullptr); -
trunk/Source/JavaScriptCore/inspector/InjectedScriptManager.cpp
r218794 r224309 1 1 /* 2 * Copyright (C) 2007 , 2008, 2013Apple Inc. All rights reserved.2 * Copyright (C) 2007-2017 Apple Inc. All rights reserved. 3 3 * Copyright (C) 2008 Matt Lilek <webkit@mattlilek.com> 4 4 * Copyright (C) 2012 Google Inc. All rights reserved. … … 159 159 args.append(globalThisValue); 160 160 args.append(jsNumber(id)); 161 ASSERT(!args.hasOverflowed()); 161 162 162 163 JSValue result = JSC::call(scriptState, functionValue, callType, callData, globalThisValue, args); -
trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp
r221822 r224309 1 1 /* 2 * Copyright (C) 2014 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2014-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 181 181 JSValue JSJavaScriptCallFrame::scopeChain(ExecState* exec) const 182 182 { 183 VM& vm = exec->vm(); 184 auto scope = DECLARE_THROW_SCOPE(vm); 185 183 186 if (!impl().scopeChain()) 184 187 return jsNull(); … … 196 199 ++iter; 197 200 } while (iter != end); 201 if (UNLIKELY(list.hasOverflowed())) { 202 throwOutOfMemoryError(exec, scope); 203 return { }; 204 } 198 205 199 206 return constructArray(exec, nullptr, globalObject(), list); -
trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp
r224272 r224309 863 863 MarkedArgumentBuffer jsonArg; 864 864 jsonArg.append(JSONPValue); 865 ASSERT(!jsonArg.hasOverflowed()); 865 866 JSValue thisValue = JSONPPath.size() == 1 ? jsUndefined(): baseObject; 866 867 JSONPValue = JSC::call(callFrame, function, callType, callData, thisValue, jsonArg); -
trunk/Source/JavaScriptCore/jsc.cpp
r223746 r224309 2912 2912 args.append(jsBuffer); 2913 2913 args.append(jsNumber(message->index())); 2914 if (UNLIKELY(args.hasOverflowed())) 2915 return JSValue::encode(throwOutOfMemoryError(exec, scope)); 2914 2916 scope.release(); 2915 2917 return JSValue::encode(call(exec, callback, callType, callData, jsNull(), args)); -
trunk/Source/JavaScriptCore/runtime/ArgList.cpp
r212692 r224309 66 66 void MarkedArgumentBuffer::slowEnsureCapacity(size_t requestedCapacity) 67 67 { 68 int newCapacity = Checked<int>(requestedCapacity).unsafeGet(); 69 expandCapacity(newCapacity); 68 setNeedsOverflowCheck(); 69 auto checkedNewCapacity = Checked<int, RecordOverflow>(requestedCapacity); 70 if (UNLIKELY(checkedNewCapacity.hasOverflowed())) 71 return this->overflowed(); 72 expandCapacity(checkedNewCapacity.unsafeGet()); 70 73 } 71 74 72 75 void MarkedArgumentBuffer::expandCapacity() 73 76 { 74 int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet(); 75 expandCapacity(newCapacity); 77 setNeedsOverflowCheck(); 78 auto checkedNewCapacity = Checked<int, RecordOverflow>(m_capacity) * 2; 79 if (UNLIKELY(checkedNewCapacity.hasOverflowed())) 80 return this->overflowed(); 81 expandCapacity(checkedNewCapacity.unsafeGet()); 76 82 } 77 83 78 84 void MarkedArgumentBuffer::expandCapacity(int newCapacity) 79 85 { 86 setNeedsOverflowCheck(); 80 87 ASSERT(m_capacity < newCapacity); 81 size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet(); 82 EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size)); 88 auto checkedSize = Checked<size_t, RecordOverflow>(newCapacity) * sizeof(EncodedJSValue); 89 if (UNLIKELY(checkedSize.hasOverflowed())) 90 return this->overflowed(); 91 EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(checkedSize.unsafeGet())); 83 92 for (int i = 0; i < m_size; ++i) { 84 93 newBuffer[i] = m_buffer[i]; … … 98 107 if (m_size == m_capacity) 99 108 expandCapacity(); 109 if (UNLIKELY(Base::hasOverflowed())) { 110 ASSERT(m_needsOverflowCheck); 111 return; 112 } 100 113 101 114 slotFor(m_size) = JSValue::encode(v); -
trunk/Source/JavaScriptCore/runtime/ArgList.h
r212692 r224309 23 23 24 24 #include "CallFrame.h" 25 #include <wtf/CheckedArithmetic.h> 25 26 #include <wtf/ForbidHeapAllocation.h> 26 27 #include <wtf/HashSet.h> … … 28 29 namespace JSC { 29 30 30 class MarkedArgumentBuffer {31 class MarkedArgumentBuffer : public RecordOverflow { 31 32 WTF_MAKE_NONCOPYABLE(MarkedArgumentBuffer); 32 33 WTF_FORBID_HEAP_ALLOCATION; … … 35 36 36 37 private: 38 using Base = RecordOverflow; 37 39 static const size_t inlineCapacity = 8; 38 40 typedef HashSet<MarkedArgumentBuffer*> ListSet; … … 51 53 ~MarkedArgumentBuffer() 52 54 { 55 ASSERT(!m_needsOverflowCheck); 53 56 if (m_markSet) 54 57 m_markSet->remove(this); … … 74 77 } 75 78 76 void append(JSValue v) 79 enum OverflowCheckAction { 80 CrashOnOverflow, 81 WillCheckLater 82 }; 83 template<OverflowCheckAction action> 84 void appendWithAction(JSValue v) 77 85 { 78 86 ASSERT(m_size <= m_capacity); 79 if (m_size == m_capacity || mallocBase()) 80 return slowAppend(v); 87 if (m_size == m_capacity || mallocBase()) { 88 slowAppend(v); 89 if (action == CrashOnOverflow) 90 RELEASE_ASSERT(!hasOverflowed()); 91 return; 92 } 81 93 82 94 slotFor(m_size) = JSValue::encode(v); 83 95 ++m_size; 84 96 } 97 void append(JSValue v) { appendWithAction<WillCheckLater>(v); } 98 void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); } 85 99 86 100 void removeLast() … … 104 118 } 105 119 120 bool hasOverflowed() 121 { 122 clearNeedsOverflowCheck(); 123 return Base::hasOverflowed(); 124 } 125 106 126 private: 107 127 void expandCapacity(); … … 112 132 113 133 JS_EXPORT_PRIVATE void slowAppend(JSValue); 114 134 115 135 EncodedJSValue& slotFor(int item) const 116 136 { … … 124 144 return &slotFor(0); 125 145 } 126 146 147 #if ASSERT_DISABLED 148 void setNeedsOverflowCheck() { } 149 void clearNeedsOverflowCheck() { } 150 #else 151 void setNeedsOverflowCheck() { m_needsOverflowCheck = true; } 152 void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; } 153 154 bool m_needsOverflowCheck { false }; 155 #endif 127 156 int m_size; 128 157 int m_capacity; -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r223834 r224309 255 255 MarkedArgumentBuffer args; 256 256 args.append(jsNumber(length)); 257 ASSERT(!args.hasOverflowed()); 257 258 JSObject* newObject = construct(exec, constructor, args, "Species construction did not get a valid constructor"); 258 259 RETURN_IF_EXCEPTION(scope, exceptionResult()); -
trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
r224280 r224309 1096 1096 MarkedArgumentBuffer arguments; 1097 1097 arguments.append(iterable); 1098 ASSERT(!arguments.hasOverflowed()); 1098 1099 JSValue arrayResult = call(exec, iterationFunction, callType, callData, jsNull(), arguments); 1099 1100 CHECK_EXCEPTION(); -
trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp
r217108 r224309 2 2 * Copyright (C) 1999-2002 Harri Porten (porten@kde.org) 3 3 * Copyright (C) 2001 Peter Kelly (pmk@post.com) 4 * Copyright (C) 2004 , 2007-2009, 2014, 2016Apple Inc. All rights reserved.4 * Copyright (C) 2004-2017 Apple Inc. All rights reserved. 5 5 * 6 6 * This library is free software; you can redistribute it and/or … … 102 102 MarkedArgumentBuffer args; 103 103 args.append(value); 104 ASSERT(!args.hasOverflowed()); 104 105 105 106 CallData callData; -
trunk/Source/JavaScriptCore/runtime/IteratorOperations.cpp
r223125 r224309 53 53 if (!argument.isEmpty()) 54 54 nextFunctionArguments.append(argument); 55 ASSERT(!nextFunctionArguments.hasOverflowed()); 55 56 JSValue result = call(exec, nextFunction, nextFunctionCallType, nextFunctionCallData, iterator, nextFunctionArguments); 56 57 RETURN_IF_EXCEPTION(scope, JSValue()); … … 118 119 119 120 MarkedArgumentBuffer returnFunctionArguments; 121 ASSERT(!returnFunctionArguments.hasOverflowed()); 120 122 JSValue innerResult = call(exec, returnFunction, returnFunctionCallType, returnFunctionCallData, iterationRecord.iterator, returnFunctionArguments); 121 123 -
trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp
r223125 r224309 42 42 for (unsigned i = 0; i < exec->argumentCount(); ++i) 43 43 args.append(exec->uncheckedArgument(i)); 44 RELEASE_ASSERT(!args.hasOverflowed()); 44 45 45 46 JSFunction* targetFunction = jsCast<JSFunction*>(boundFunction->targetFunction()); … … 57 58 EncodedJSValue JSC_HOST_CALL boundFunctionCall(ExecState* exec) 58 59 { 60 VM& vm = exec->vm(); 61 auto scope = DECLARE_THROW_SCOPE(vm); 59 62 JSBoundFunction* boundFunction = jsCast<JSBoundFunction*>(exec->jsCallee()); 60 63 … … 68 71 for (unsigned i = 0; i < exec->argumentCount(); ++i) 69 72 args.append(exec->uncheckedArgument(i)); 73 if (UNLIKELY(args.hasOverflowed())) { 74 throwOutOfMemoryError(exec, scope); 75 return encodedJSValue(); 76 } 70 77 71 78 JSObject* targetFunction = boundFunction->targetFunction(); … … 73 80 CallType callType = getCallData(targetFunction, callData); 74 81 ASSERT(callType != CallType::None); 82 scope.release(); 75 83 return JSValue::encode(call(exec, targetFunction, callType, callData, boundFunction->boundThis(), args)); 76 84 } … … 83 91 for (unsigned i = 0; i < exec->argumentCount(); ++i) 84 92 args.append(exec->uncheckedArgument(i)); 93 RELEASE_ASSERT(!args.hasOverflowed()); 85 94 86 95 JSFunction* targetFunction = jsCast<JSFunction*>(boundFunction->targetFunction()); … … 93 102 EncodedJSValue JSC_HOST_CALL boundFunctionConstruct(ExecState* exec) 94 103 { 104 VM& vm = exec->vm(); 105 auto scope = DECLARE_THROW_SCOPE(vm); 95 106 JSBoundFunction* boundFunction = jsCast<JSBoundFunction*>(exec->jsCallee()); 96 107 … … 104 115 for (unsigned i = 0; i < exec->argumentCount(); ++i) 105 116 args.append(exec->uncheckedArgument(i)); 117 if (UNLIKELY(args.hasOverflowed())) { 118 throwOutOfMemoryError(exec, scope); 119 return encodedJSValue(); 120 } 106 121 107 122 JSObject* targetFunction = boundFunction->targetFunction(); … … 109 124 ConstructType constructType = getConstructData(targetFunction, constructData); 110 125 ASSERT(constructType != ConstructType::None); 126 scope.release(); 111 127 return JSValue::encode(construct(exec, targetFunction, constructType, constructData, args)); 112 128 } -
trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
r222617 r224309 1 1 /* 2 * Copyright (C) 2013-201 6Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 86 86 forEachInIterable(*exec, iterable, iteratorMethod, [&] (VM&, ExecState&, JSValue value) { 87 87 storage.append(value); 88 if (UNLIKELY(storage.hasOverflowed())) { 89 throwOutOfMemoryError(exec, scope); 90 return; 91 } 88 92 }); 89 93 RETURN_IF_EXCEPTION(scope, nullptr); -
trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
r218794 r224309 450 450 MarkedArgumentBuffer args; 451 451 args.append(jsNumber(length)); 452 ASSERT(!args.hasOverflowed()); 452 453 453 454 JSArrayBufferView* result = speciesConstruct(exec, thisObject, args, [&]() { … … 564 565 args.append(jsNumber(newByteOffset)); 565 566 args.append(jsNumber(length)); 567 ASSERT(!args.hasOverflowed()); 566 568 567 569 JSObject* result = construct(exec, species, args, "species is not a constructor"); -
trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
r223746 r224309 1216 1216 vm.heap.objectSpace().forEachLiveCell(iterationScope, finder); 1217 1217 } 1218 RELEASE_ASSERT(!foundObjects.hasOverflowed()); 1218 1219 while (!foundObjects.isEmpty()) { 1219 1220 JSObject* object = asObject(foundObjects.last()); -
trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp
r221849 r224309 1 1 /* 2 * Copyright (C) 2015-201 6Apple Inc. All rights reserved.2 * Copyright (C) 2015-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 65 65 arguments.append(onFulfilled ? onFulfilled : jsUndefined()); 66 66 arguments.append(onRejected ? onRejected : jsUndefined()); 67 ASSERT(!arguments.hasOverflowed()); 67 68 68 69 scope.release(); -
trunk/Source/JavaScriptCore/runtime/JSJob.cpp
r221849 r224309 1 1 /* 2 * Copyright (C) 2013 Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 77 77 handlerArguments.append(arg); 78 78 } 79 if (UNLIKELY(handlerArguments.hasOverflowed())) 80 return; 79 81 profiledCall(exec, ProfilingReason::Microtask, m_job.get(), handlerCallType, handlerCallData, jsUndefined(), handlerArguments); 80 82 scope.clearException(); -
trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp
r221110 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple, Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple, Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 55 55 args.append(key); 56 56 args.append(value); 57 ASSERT(!args.hasOverflowed()); 57 58 JSGlobalObject* globalObject = callFrame->jsCallee()->globalObject(); 58 59 return constructArray(callFrame, 0, globalObject, args); -
trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp
r223777 r224309 1 1 /* 2 * Copyright (C) 2015 Apple Inc. All Rights Reserved.2 * Copyright (C) 2015-2017 Apple Inc. All Rights Reserved. 3 3 * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>. 4 4 * … … 95 95 arguments.append(key); 96 96 arguments.append(JSSourceCode::create(vm, WTFMove(source))); 97 ASSERT(!arguments.hasOverflowed()); 97 98 98 99 scope.release(); … … 115 116 arguments.append(parameters); 116 117 arguments.append(scriptFetcher); 118 ASSERT(!arguments.hasOverflowed()); 117 119 118 120 scope.release(); … … 135 137 arguments.append(parameters); 136 138 arguments.append(scriptFetcher); 139 ASSERT(!arguments.hasOverflowed()); 137 140 138 141 scope.release(); … … 154 157 arguments.append(moduleKey); 155 158 arguments.append(scriptFetcher); 159 ASSERT(!arguments.hasOverflowed()); 156 160 157 161 scope.release(); … … 174 178 arguments.append(parameters); 175 179 arguments.append(scriptFetcher); 180 ASSERT(!arguments.hasOverflowed()); 176 181 177 182 scope.release(); -
trunk/Source/JavaScriptCore/runtime/JSONObject.cpp
r223731 r224309 314 314 MarkedArgumentBuffer args; 315 315 args.append(propertyName.value(m_exec)); 316 ASSERT(!args.hasOverflowed()); 316 317 return call(m_exec, asObject(toJSONFunction), callType, callData, value, args); 317 318 } … … 331 332 args.append(propertyName.value(m_exec)); 332 333 args.append(value); 334 ASSERT(!args.hasOverflowed()); 333 335 value = call(m_exec, m_replacer.get(), m_replacerCallType, m_replacerCallData, holder.object(), args); 334 336 RETURN_IF_EXCEPTION(scope, StringifyFailed); … … 610 612 args.append(property); 611 613 args.append(unfiltered); 614 ASSERT(!args.hasOverflowed()); 612 615 return call(m_exec, m_function.get(), m_callType, m_callData, thisObj, args); 613 616 } -
trunk/Source/JavaScriptCore/runtime/JSObject.cpp
r223746 r224309 741 741 MarkedArgumentBuffer args; 742 742 args.append(value); 743 ASSERT(!args.hasOverflowed()); 743 744 744 745 CallData callData; … … 1939 1940 callArgs.append(hintString); 1940 1941 } 1942 ASSERT(!callArgs.hasOverflowed()); 1941 1943 1942 1944 JSValue result = call(exec, function, callType, callData, const_cast<JSObject*>(object), callArgs); … … 2053 2055 MarkedArgumentBuffer args; 2054 2056 args.append(value); 2057 ASSERT(!args.hasOverflowed()); 2055 2058 JSValue result = call(exec, hasInstanceValue, callType, callData, this, args); 2056 2059 RETURN_IF_EXCEPTION(scope, false); -
trunk/Source/JavaScriptCore/runtime/JSPromise.cpp
r217108 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 71 71 MarkedArgumentBuffer arguments; 72 72 arguments.append(executor); 73 ASSERT(!arguments.hasOverflowed()); 73 74 call(exec, initializePromise, callType, callData, this, arguments); 74 75 } … … 106 107 MarkedArgumentBuffer arguments; 107 108 arguments.append(value); 109 ASSERT(!arguments.hasOverflowed()); 108 110 auto result = call(exec, promiseResolveFunction, callType, callData, globalObject.promiseConstructor(), arguments); 109 111 RETURN_IF_EXCEPTION(scope, nullptr); -
trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp
r221849 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 49 49 MarkedArgumentBuffer arguments; 50 50 arguments.append(promiseConstructor); 51 ASSERT(!arguments.hasOverflowed()); 51 52 return call(exec, newPromiseCapabilityFunction, callType, callData, jsUndefined(), arguments); 52 53 } … … 97 98 MarkedArgumentBuffer arguments; 98 99 arguments.append(value); 100 ASSERT(!arguments.hasOverflowed()); 99 101 100 102 call(exec, function, callType, callData, jsUndefined(), arguments); -
trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp
r221110 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple, Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple, Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 55 55 args.append(key); 56 56 args.append(value); 57 ASSERT(!args.hasOverflowed()); 57 58 JSGlobalObject* globalObject = callFrame->jsCallee()->globalObject(); 58 59 return constructArray(callFrame, 0, globalObject, args); -
trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp
r221849 r224309 1 1 /* 2 * Copyright (C) 2009 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2009-2017 Apple Inc. All rights reserved. 3 3 * Copyright (C) 2012 Mathias Bynens (mathias@qiwi.be) 4 4 * … … 594 594 JSArray* array = constructEmptyArray(m_exec, 0); 595 595 RETURN_IF_EXCEPTION(scope, JSValue()); 596 objectStack.append (array);596 objectStack.appendWithCrashOnOverflow(array); 597 597 } 598 598 doParseArrayStartExpression: … … 635 635 case StartParseObject: { 636 636 JSObject* object = constructEmptyObject(m_exec); 637 objectStack.append (object);637 objectStack.appendWithCrashOnOverflow(object); 638 638 639 639 TokenType type = m_lexer.next(); -
trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp
r222473 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 106 106 arguments.append(key); 107 107 arguments.append(value); 108 ASSERT(!arguments.hasOverflowed()); 108 109 scope.release(); 109 110 call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, map, arguments); -
trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
r223594 r224309 570 570 } 571 571 } 572 RELEASE_ASSERT(!markBuffer.hasOverflowed()); 572 573 for (size_t i = 0; i < numProperties; i++) { 573 574 auto& propertyName = propertyNames[i]; -
trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp
r222617 r224309 1 1 /* 2 * Copyright (C) 2016 Apple Inc. All Rights Reserved.2 * Copyright (C) 2016-2017 Apple Inc. All Rights Reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 166 166 arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid()))); 167 167 arguments.append(receiver); 168 ASSERT(!arguments.hasOverflowed()); 168 169 JSValue trapResult = call(exec, getHandler, callType, callData, handler, arguments); 169 170 RETURN_IF_EXCEPTION(scope, { }); … … 238 239 arguments.append(target); 239 240 arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid()))); 241 ASSERT(!arguments.hasOverflowed()); 240 242 JSValue trapResult = call(exec, getOwnPropertyDescriptorMethod, callType, callData, handler, arguments); 241 243 RETURN_IF_EXCEPTION(scope, false); … … 346 348 arguments.append(target); 347 349 arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid()))); 350 ASSERT(!arguments.hasOverflowed()); 348 351 JSValue trapResult = call(exec, hasMethod, callType, callData, handler, arguments); 349 352 RETURN_IF_EXCEPTION(scope, false); … … 453 456 arguments.append(putValue); 454 457 arguments.append(thisValue); 458 ASSERT(!arguments.hasOverflowed()); 455 459 JSValue trapResult = call(exec, setMethod, callType, callData, handler, arguments); 456 460 RETURN_IF_EXCEPTION(scope, false); … … 547 551 arguments.append(exec->thisValue()); 548 552 arguments.append(argArray); 553 ASSERT(!arguments.hasOverflowed()); 549 554 scope.release(); 550 555 return JSValue::encode(call(exec, applyMethod, callType, callData, handler, arguments)); … … 599 604 arguments.append(argArray); 600 605 arguments.append(exec->newTarget()); 606 ASSERT(!arguments.hasOverflowed()); 601 607 JSValue result = call(exec, constructMethod, callType, callData, handler, arguments); 602 608 RETURN_IF_EXCEPTION(scope, encodedJSValue()); … … 656 662 arguments.append(target); 657 663 arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid()))); 664 ASSERT(!arguments.hasOverflowed()); 658 665 JSValue trapResult = call(exec, deletePropertyMethod, callType, callData, handler, arguments); 659 666 RETURN_IF_EXCEPTION(scope, false); … … 729 736 MarkedArgumentBuffer arguments; 730 737 arguments.append(target); 738 ASSERT(!arguments.hasOverflowed()); 731 739 JSValue trapResult = call(exec, preventExtensionsMethod, callType, callData, handler, arguments); 732 740 RETURN_IF_EXCEPTION(scope, false); … … 783 791 MarkedArgumentBuffer arguments; 784 792 arguments.append(target); 793 ASSERT(!arguments.hasOverflowed()); 785 794 JSValue trapResult = call(exec, isExtensibleMethod, callType, callData, handler, arguments); 786 795 RETURN_IF_EXCEPTION(scope, false); … … 853 862 arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid()))); 854 863 arguments.append(descriptorObject); 864 ASSERT(!arguments.hasOverflowed()); 855 865 JSValue trapResult = call(exec, definePropertyMethod, callType, callData, handler, arguments); 856 866 RETURN_IF_EXCEPTION(scope, false); … … 937 947 MarkedArgumentBuffer arguments; 938 948 arguments.append(target); 949 ASSERT(!arguments.hasOverflowed()); 939 950 JSValue arrayLikeObject = call(exec, ownKeysMethod, callType, callData, handler, arguments); 940 951 RETURN_IF_EXCEPTION(scope, void()); … … 1088 1099 arguments.append(target); 1089 1100 arguments.append(prototype); 1101 ASSERT(!arguments.hasOverflowed()); 1090 1102 JSValue trapResult = call(exec, setPrototypeOfMethod, callType, callData, handler, arguments); 1091 1103 RETURN_IF_EXCEPTION(scope, false); … … 1151 1163 MarkedArgumentBuffer arguments; 1152 1164 arguments.append(target); 1165 ASSERT(!arguments.hasOverflowed()); 1153 1166 JSValue trapResult = call(exec, getPrototypeOfMethod, callType, callData, handler, arguments); 1154 1167 RETURN_IF_EXCEPTION(scope, { }); -
trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp
r223594 r224309 122 122 }); 123 123 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 124 if (UNLIKELY(arguments.hasOverflowed())) { 125 throwOutOfMemoryError(exec, scope); 126 return encodedJSValue(); 127 } 124 128 125 129 scope.release(); -
trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp
r222473 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 93 93 MarkedArgumentBuffer arguments; 94 94 arguments.append(nextValue); 95 ASSERT(!arguments.hasOverflowed()); 95 96 call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, set, arguments); 96 97 }); -
trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp
r224276 r224309 720 720 if (hasNamedCaptures) 721 721 args.append(groups); 722 if (UNLIKELY(args.hasOverflowed())) { 723 throwOutOfMemoryError(exec, scope); 724 return encodedJSValue(); 725 } 722 726 723 727 JSValue replacement = call(exec, replaceValue, callType, callData, jsUndefined(), args); … … 836 840 args.append(jsNumber(matchStart)); 837 841 args.append(jsString); 842 ASSERT(!args.hasOverflowed()); 838 843 replaceValue = call(exec, replaceValue, callType, callData, jsUndefined(), args); 839 844 RETURN_IF_EXCEPTION(scope, encodedJSValue()); -
trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp
r222473 r224309 1 1 /* 2 * Copyright (C) 2013 , 2016Apple, Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple, Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 91 91 arguments.append(key); 92 92 arguments.append(value); 93 ASSERT(!arguments.hasOverflowed()); 93 94 scope.release(); 94 95 call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, weakMap, arguments); -
trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp
r222473 r224309 1 1 /* 2 * Copyright (C) 2015-201 6Apple, Inc. All rights reserved.2 * Copyright (C) 2015-2017 Apple, Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 78 78 MarkedArgumentBuffer arguments; 79 79 arguments.append(nextValue); 80 ASSERT(!arguments.hasOverflowed()); 80 81 call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, weakSet, arguments); 81 82 }); -
trunk/Source/JavaScriptCore/wasm/js/WasmToJS.cpp
r224020 r224309 248 248 args.append(arg); 249 249 } 250 if (UNLIKELY(args.hasOverflowed())) { 251 throwOutOfMemoryError(exec, throwScope); 252 return 0; 253 } 250 254 251 255 CallData callData; -
trunk/Source/WebCore/ChangeLog
r224308 r224309 1 2017-11-01 Mark Lam <mark.lam@apple.com> 2 3 Add support to throw OOM if MarkedArgumentBuffer may overflow. 4 https://bugs.webkit.org/show_bug.cgi?id=179092 5 <rdar://problem/35116160> 6 7 Reviewed by Saam Barati. 8 9 No new tests. The test for overflowing a MarkedArgumentBuffer will run for a 10 ridiculously long time, which renders it unsuitable for automated tests. 11 12 * Modules/plugins/QuickTimePluginReplacement.mm: 13 (WebCore::QuickTimePluginReplacement::installReplacement): 14 * bindings/js/JSCustomElementInterface.cpp: 15 (WebCore::constructCustomElementSynchronously): 16 (WebCore::JSCustomElementInterface::upgradeElement): 17 (WebCore::JSCustomElementInterface::invokeCallback): 18 * bindings/js/JSCustomXPathNSResolver.cpp: 19 (WebCore::JSCustomXPathNSResolver::lookupNamespaceURI): 20 * bindings/js/JSDOMBuiltinConstructorBase.cpp: 21 (WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments): 22 * bindings/js/JSDOMConvertSequences.h: 23 (WebCore::JSConverter<IDLSequence<T>>::convert): 24 (WebCore::JSConverter<IDLFrozenArray<T>>::convert): 25 * bindings/js/JSDOMConvertWebGL.cpp: 26 (WebCore::convertToJSValue): 27 * bindings/js/JSDOMIterator.h: 28 (WebCore::jsPair): 29 (WebCore::iteratorForEach): 30 * bindings/js/JSDOMMapLike.cpp: 31 (WebCore::forwardFunctionCallToBackingMap): 32 (WebCore::forwardForEachCallToBackingMap): 33 * bindings/js/JSDOMPromiseDeferred.cpp: 34 (WebCore::DeferredPromise::callFunction): 35 (WebCore::createRejectedPromiseWithTypeError): 36 * bindings/js/JSErrorHandler.cpp: 37 (WebCore::JSErrorHandler::handleEvent): 38 * bindings/js/JSEventListener.cpp: 39 (WebCore::JSEventListener::handleEvent): 40 * bindings/js/JSLazyEventListener.cpp: 41 (WebCore::JSLazyEventListener::initializeJSFunction const): 42 * bindings/js/JSPluginElementFunctions.cpp: 43 (WebCore::callPlugin): 44 * bindings/js/JSReadableStreamPrivateConstructors.cpp: 45 (WebCore::constructJSReadableStreamReaderGeneric): 46 * bindings/js/ReadableStream.cpp: 47 (WebCore::ReadableStream::create): 48 (WebCore::ReadableStream::pipeTo): 49 (WebCore::ReadableStream::tee): 50 (WebCore::ReadableStream::lock): 51 (WebCore::checkReadableStream): 52 * bindings/js/ReadableStreamDefaultController.cpp: 53 (WebCore::ReadableStreamDefaultController::invoke): 54 * bindings/js/ScheduledAction.cpp: 55 (WebCore::ScheduledAction::executeFunctionInContext): 56 * bindings/js/SerializedScriptValue.cpp: 57 (WebCore::CloneSerializer::recordObject): 58 (WebCore::CloneSerializer::serialize): 59 (WebCore::CloneDeserializer::readTerminal): 60 (WebCore::CloneDeserializer::deserialize): 61 * bindings/scripts/CodeGeneratorJS.pm: 62 (GenerateCallbackImplementationContent): 63 * bindings/scripts/test/JS/JSTestCallbackFunction.cpp: 64 (WebCore::JSTestCallbackFunction::handleEvent): 65 * bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp: 66 (WebCore::JSTestCallbackFunctionRethrow::handleEvent): 67 * bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp: 68 (WebCore::JSTestCallbackFunctionWithThisObject::handleEvent): 69 * bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp: 70 (WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent): 71 * bindings/scripts/test/JS/JSTestCallbackInterface.cpp: 72 (WebCore::JSTestCallbackInterface::callbackWithNoParam): 73 (WebCore::JSTestCallbackInterface::callbackWithArrayParam): 74 (WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam): 75 (WebCore::JSTestCallbackInterface::callbackWithStringList): 76 (WebCore::JSTestCallbackInterface::callbackWithBoolean): 77 (WebCore::JSTestCallbackInterface::callbackRequiresThisToPass): 78 (WebCore::JSTestCallbackInterface::callbackWithAReturnValue): 79 (WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions): 80 (WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck): 81 (WebCore::JSTestCallbackInterface::callbackWithThisObject): 82 * bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp: 83 (WebCore::JSTestVoidCallbackFunction::handleEvent): 84 * bridge/NP_jsobject.cpp: 85 * bridge/objc/WebScriptObject.mm: 86 (-[WebScriptObject callWebScriptMethod:withArguments:]): 87 * html/HTMLMediaElement.cpp: 88 (WebCore::HTMLMediaElement::updateCaptionContainer): 89 (WebCore::HTMLMediaElement::didAddUserAgentShadowRoot): 90 (WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange): 91 (WebCore::HTMLMediaElement::getCurrentMediaControlsStatus): 92 * html/HTMLPlugInImageElement.cpp: 93 (WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot): 94 * testing/Internals.cpp: 95 (WebCore::Internals::cloneArrayBuffer): 96 1 97 2017-11-01 Andy Estes <aestes@apple.com> 2 98 -
trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm
r223476 r224309 206 206 argList.append(toJS<IDLSequence<IDLNullable<IDLDOMString>>>(*exec, *globalObject, m_names)); 207 207 argList.append(toJS<IDLSequence<IDLNullable<IDLDOMString>>>(*exec, *globalObject, m_values)); 208 ASSERT(!argList.hasOverflowed()); 208 209 JSC::JSValue replacement = call(exec, replacementObject, callType, callData, globalObject, argList); 209 210 if (UNLIKELY(scope.exception())) { -
trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp
r223728 r224309 1 1 /* 2 2 * Copyright (C) 2013 Google Inc. All rights reserved. 3 * Copyright (C) 2015-201 6Apple Inc. All rights reserved.3 * Copyright (C) 2015-2017 Apple Inc. All rights reserved. 4 4 * 5 5 * Redistribution and use in source and binary forms, with or without … … 128 128 InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionConstruct(&document, constructType, constructData); 129 129 MarkedArgumentBuffer args; 130 ASSERT(!args.hasOverflowed()); 130 131 JSValue newElement = construct(&state, constructor, constructType, constructData, args); 131 132 InspectorInstrumentation::didCallFunction(cookie, &document); … … 199 200 200 201 MarkedArgumentBuffer args; 202 ASSERT(!args.hasOverflowed()); 201 203 InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionConstruct(context, constructType, constructData); 202 204 JSValue returnedElement = construct(state, m_constructor.get(), constructType, constructData, args); … … 246 248 MarkedArgumentBuffer args; 247 249 addArguments(state, globalObject, args); 250 RELEASE_ASSERT(!args.hasOverflowed()); 248 251 249 252 InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionCall(context, callType, callData); -
trunk/Source/WebCore/bindings/js/JSCustomXPathNSResolver.cpp
r223728 r224309 88 88 MarkedArgumentBuffer args; 89 89 args.append(jsStringWithCache(exec, prefix)); 90 ASSERT(!args.hasOverflowed()); 90 91 91 92 NakedPtr<JSC::Exception> exception; -
trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructorBase.cpp
r223476 r224309 1 1 /* 2 2 * Copyright (C) 1999-2001 Harri Porten (porten@kde.org) 3 * Copyright (C) 2004-201 1, 2013, 2016Apple Inc. All rights reserved.3 * Copyright (C) 2004-2017 Apple Inc. All rights reserved. 4 4 * Copyright (C) 2007 Samuel Weinig <sam@webkit.org> 5 5 * Copyright (C) 2013 Michael Pruett <michael@68k.org> … … 31 31 void JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments(JSC::ExecState& state, JSC::JSObject& thisObject, JSC::JSFunction& function) 32 32 { 33 JSC::VM& vm = state.vm(); 34 auto scope = DECLARE_THROW_SCOPE(vm); 33 35 JSC::CallData callData; 34 36 JSC::CallType callType = JSC::getCallData(&function, callData); … … 38 40 for (unsigned i = 0; i < state.argumentCount(); ++i) 39 41 arguments.append(state.uncheckedArgument(i)); 42 if (UNLIKELY(arguments.hasOverflowed())) { 43 throwOutOfMemoryError(&state, scope); 44 return; 45 } 40 46 JSC::call(&state, &function, callType, callData, &thisObject, arguments); 41 47 } -
trunk/Source/WebCore/bindings/js/JSDOMConvertSequences.h
r218342 r224309 1 1 /* 2 * Copyright (C) 2016 Apple Inc. All rights reserved.2 * Copyright (C) 2016-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 379 379 static JSC::JSValue convert(JSC::ExecState& exec, JSDOMGlobalObject& globalObject, const Vector<U, inlineCapacity>& vector) 380 380 { 381 JSC::VM& vm = exec.vm(); 382 auto scope = DECLARE_THROW_SCOPE(vm); 381 383 JSC::MarkedArgumentBuffer list; 382 384 for (auto& element : vector) 383 385 list.append(toJS<T>(exec, globalObject, element)); 386 if (UNLIKELY(list.hasOverflowed())) { 387 throwOutOfMemoryError(&exec, scope); 388 return { }; 389 } 384 390 return JSC::constructArray(&exec, nullptr, &globalObject, list); 385 391 } … … 407 413 static JSC::JSValue convert(JSC::ExecState& exec, JSDOMGlobalObject& globalObject, const Vector<U, inlineCapacity>& vector) 408 414 { 415 JSC::VM& vm = exec.vm(); 416 auto scope = DECLARE_THROW_SCOPE(vm); 409 417 JSC::MarkedArgumentBuffer list; 410 418 for (auto& element : vector) 411 419 list.append(toJS<T>(exec, globalObject, element)); 420 if (UNLIKELY(list.hasOverflowed())) { 421 throwOutOfMemoryError(&exec, scope); 422 return { }; 423 } 412 424 auto* array = JSC::constructArray(&exec, nullptr, &globalObject, list); 413 425 return JSC::objectConstructorFreeze(&exec, array); -
trunk/Source/WebCore/bindings/js/JSDOMConvertWebGL.cpp
r223476 r224309 92 92 for (auto& value : values) 93 93 list.append(jsBoolean(value)); 94 RELEASE_ASSERT(!list.hasOverflowed()); 94 95 return constructArray(&state, 0, &globalObject, list); 95 96 }, … … 98 99 for (auto& value : values) 99 100 list.append(jsNumber(value)); 101 RELEASE_ASSERT(!list.hasOverflowed()); 100 102 return constructArray(&state, 0, &globalObject, list); 101 103 }, -
trunk/Source/WebCore/bindings/js/JSDOMIterator.h
r218755 r224309 1 1 /* 2 2 * Copyright (C) 2016 Canon, Inc. All rights reserved. 3 * Copyright (C) 2016 Apple Inc. All rights reserved.3 * Copyright (C) 2016-2017 Apple Inc. All rights reserved. 4 4 * 5 5 * Redistribution and use in source and binary forms, with or without … … 128 128 arguments.append(value1); 129 129 arguments.append(value2); 130 ASSERT(!arguments.hasOverflowed()); 130 131 return constructArray(&state, nullptr, &globalObject, arguments); 131 132 } … … 215 216 appendForEachArguments<JSIterator>(state, *thisObject.globalObject(), arguments, value); 216 217 arguments.append(&thisObject); 218 if (UNLIKELY(arguments.hasOverflowed())) { 219 throwOutOfMemoryError(&state, scope); 220 return { }; 221 } 217 222 JSC::call(&state, callback, callType, callData, thisValue, arguments); 218 223 if (UNLIKELY(scope.exception())) -
trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp
r222473 r224309 74 74 for (size_t cptr = 0; cptr < state.argumentCount(); ++cptr) 75 75 arguments.append(state.uncheckedArgument(cptr)); 76 ASSERT(!arguments.hasOverflowed()); 76 77 return JSC::call(&state, function, callType, callData, &backingMap, arguments); 77 78 } … … 90 91 for (size_t cptr = 0; cptr < state.argumentCount(); ++cptr) 91 92 arguments.append(state.uncheckedArgument(cptr)); 93 ASSERT(!arguments.hasOverflowed()); 92 94 return JSC::call(&state, function, callType, callData, &mapLike, arguments); 93 95 } -
trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp
r223476 r224309 58 58 MarkedArgumentBuffer arguments; 59 59 arguments.append(resolution); 60 ASSERT(!arguments.hasOverflowed()); 60 61 61 62 call(&exec, function, callType, callData, jsUndefined(), arguments); … … 207 208 MarkedArgumentBuffer arguments; 208 209 arguments.append(rejectionValue); 210 ASSERT(!arguments.hasOverflowed()); 209 211 210 212 return JSValue::encode(call(&state, rejectFunction, callType, callData, promiseConstructor, arguments)); -
trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp
r223728 r224309 1 1 /* 2 2 * Copyright (C) 2010 Google Inc. All rights reserved. 3 * Copyright (C) 2013 Apple Inc. All rights reserved.3 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 4 4 * 5 5 * Redistribution and use in source and binary forms, with or without … … 91 91 args.append(toJS<IDLUnsignedLong>(errorEvent.colno())); 92 92 args.append(errorEvent.error(*exec, *globalObject)); 93 ASSERT(!args.hasOverflowed()); 93 94 94 95 VM& vm = globalObject->vm(); -
trunk/Source/WebCore/bindings/js/JSEventListener.cpp
r223728 r224309 139 139 MarkedArgumentBuffer args; 140 140 args.append(toJS(exec, globalObject, &event)); 141 ASSERT(!args.hasOverflowed()); 141 142 142 143 Event* savedEvent = globalObject->currentEvent(); -
trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp
r224290 r224309 113 113 args.append(jsNontrivialString(exec, m_eventParameterName)); 114 114 args.append(jsStringWithCache(exec, m_code)); 115 ASSERT(!args.hasOverflowed()); 115 116 116 117 // We want all errors to refer back to the line on which our attribute was -
trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp
r223746 r224309 152 152 for (size_t i = 0; i < argumentCount; i++) 153 153 argumentList.append(exec->argument(i)); 154 ASSERT(!argumentList.hasOverflowed()); 154 155 155 156 CallData callData; -
trunk/Source/WebCore/bindings/js/JSReadableStreamPrivateConstructors.cpp
r223476 r224309 1 1 /* 2 2 * Copyright (C) 2015 Canon Inc. All rights reserved. 3 * Copyright (C) 2016 Apple Inc. All rights reserved.3 * Copyright (C) 2016-2017 Apple Inc. All rights reserved. 4 4 * 5 5 * This library is free software; you can redistribute it and/or … … 75 75 MarkedArgumentBuffer args; 76 76 args.append(exec.argument(0)); 77 ASSERT(!args.hasOverflowed()); 77 78 return JSValue::encode(JSC::construct(&exec, constructor, constructType, constructData, args)); 78 79 } -
trunk/Source/WebCore/bindings/js/ReadableStream.cpp
r223476 r224309 52 52 MarkedArgumentBuffer args; 53 53 args.append(source ? toJSNewlyCreated(&execState, &globalObject, source.releaseNonNull()) : JSC::jsUndefined()); 54 ASSERT(!args.hasOverflowed()); 54 55 55 56 auto newReadableStream = jsDynamicDowncast<JSReadableStream*>(vm, JSC::construct(&execState, constructor, constructType, constructData, args)); … … 84 85 arguments.append(readableStream()); 85 86 arguments.append(toJS(&state, m_globalObject.get(), sink)); 87 ASSERT(!arguments.hasOverflowed()); 86 88 ReadableStreamInternal::callFunction(state, readableStreamPipeTo, JSC::jsUndefined(), arguments); 87 89 } … … 99 101 arguments.append(readableStream()); 100 102 arguments.append(JSC::jsBoolean(true)); 103 ASSERT(!arguments.hasOverflowed()); 101 104 auto returnedValue = ReadableStreamInternal::callFunction(state, readableStreamTee, JSC::jsUndefined(), arguments); 102 105 … … 123 126 MarkedArgumentBuffer args; 124 127 args.append(readableStream()); 128 ASSERT(!args.hasOverflowed()); 125 129 126 130 JSC::construct(&state, constructor, constructType, constructData, args); … … 135 139 JSC::MarkedArgumentBuffer arguments; 136 140 arguments.append(readableStream); 141 ASSERT(!arguments.hasOverflowed()); 137 142 return ReadableStreamInternal::callFunction(state, function, JSC::jsUndefined(), arguments).isTrue(); 138 143 } -
trunk/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp
r221704 r224309 66 66 JSC::MarkedArgumentBuffer arguments; 67 67 arguments.append(parameter); 68 ASSERT(!arguments.hasOverflowed()); 68 69 69 70 return callFunction(state, function, &object, arguments); -
trunk/Source/WebCore/bindings/js/ScheduledAction.cpp
r223728 r224309 2 2 * Copyright (C) 2000 Harri Porten (porten@kde.org) 3 3 * Copyright (C) 2006 Jon Shier (jshier@iastate.edu) 4 * Copyright (C) 2003 , 2004, 2005, 2006, 2007, 2008, 2009Apple Inc. All rights reseved.4 * Copyright (C) 2003-2017 Apple Inc. All rights reseved. 5 5 * Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org) 6 6 * Copyright (C) 2009 Google Inc. All rights reseved. … … 93 93 { 94 94 ASSERT(m_function); 95 JSLockHolder lock(context.vm()); 95 VM& vm = context.vm(); 96 JSLockHolder lock(vm); 97 auto scope = DECLARE_THROW_SCOPE(vm); 96 98 97 99 CallData callData; … … 105 107 for (auto& argument : m_arguments) 106 108 arguments.append(argument.get()); 109 if (UNLIKELY(arguments.hasOverflowed())) { 110 throwOutOfMemoryError(exec, scope); 111 NakedPtr<JSC::Exception> exception = scope.exception(); 112 reportException(exec, exception); 113 return; 114 } 107 115 108 116 InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionCall(&context, callType, callData); -
trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp
r223905 r224309 667 667 { 668 668 m_objectPool.add(object, m_objectPool.size()); 669 m_gcBuffer.append (object);669 m_gcBuffer.appendWithCrashOnOverflow(object); 670 670 } 671 671 … … 1590 1590 break; 1591 1591 JSMapIterator* iterator = JSMapIterator::create(vm, vm.mapIteratorStructure.get(), inMap, IterateKeyValue); 1592 m_gcBuffer.append (inMap);1593 m_gcBuffer.append (iterator);1592 m_gcBuffer.appendWithCrashOnOverflow(inMap); 1593 m_gcBuffer.appendWithCrashOnOverflow(iterator); 1594 1594 mapIteratorStack.append(iterator); 1595 1595 inputObjectStack.append(inMap); … … 1611 1611 } 1612 1612 inValue = key; 1613 m_gcBuffer.append (value);1613 m_gcBuffer.appendWithCrashOnOverflow(value); 1614 1614 mapIteratorValueStack.append(value); 1615 1615 stateStack.append(MapDataEndVisitKey); … … 1634 1634 break; 1635 1635 JSSetIterator* iterator = JSSetIterator::create(vm, vm.setIteratorStructure.get(), inSet, IterateKey); 1636 m_gcBuffer.append (inSet);1637 m_gcBuffer.append (iterator);1636 m_gcBuffer.appendWithCrashOnOverflow(inSet); 1637 m_gcBuffer.appendWithCrashOnOverflow(iterator); 1638 1638 setIteratorStack.append(iterator); 1639 1639 inputObjectStack.append(inSet); … … 2652 2652 BooleanObject* obj = BooleanObject::create(m_exec->vm(), m_globalObject->booleanObjectStructure()); 2653 2653 obj->setInternalValue(m_exec->vm(), jsBoolean(false)); 2654 m_gcBuffer.append (obj);2654 m_gcBuffer.appendWithCrashOnOverflow(obj); 2655 2655 return obj; 2656 2656 } … … 2658 2658 BooleanObject* obj = BooleanObject::create(m_exec->vm(), m_globalObject->booleanObjectStructure()); 2659 2659 obj->setInternalValue(m_exec->vm(), jsBoolean(true)); 2660 m_gcBuffer.append(obj);2660 m_gcBuffer.appendWithCrashOnOverflow(obj); 2661 2661 return obj; 2662 2662 } … … 2672 2672 return JSValue(); 2673 2673 NumberObject* obj = constructNumber(m_exec, m_globalObject, jsNumber(d)); 2674 m_gcBuffer.append (obj);2674 m_gcBuffer.appendWithCrashOnOverflow(obj); 2675 2675 return obj; 2676 2676 } … … 2764 2764 return JSValue(); 2765 2765 StringObject* obj = constructString(m_exec->vm(), m_globalObject, cachedString->jsString(m_exec)); 2766 m_gcBuffer.append (obj);2766 m_gcBuffer.appendWithCrashOnOverflow(obj); 2767 2767 return obj; 2768 2768 } … … 2770 2770 VM& vm = m_exec->vm(); 2771 2771 StringObject* obj = constructString(vm, m_globalObject, jsEmptyString(&vm)); 2772 m_gcBuffer.append (obj);2772 m_gcBuffer.appendWithCrashOnOverflow(obj); 2773 2773 return obj; 2774 2774 } … … 2817 2817 // not trow. 2818 2818 scope.releaseAssertNoException(); 2819 m_gcBuffer.append (result);2819 m_gcBuffer.appendWithCrashOnOverflow(result); 2820 2820 return result; 2821 2821 } … … 2835 2835 } 2836 2836 JSValue result = JSArrayBuffer::create(m_exec->vm(), structure, WTFMove(arrayBuffer)); 2837 m_gcBuffer.append (result);2837 m_gcBuffer.appendWithCrashOnOverflow(result); 2838 2838 return result; 2839 2839 } … … 2862 2862 RefPtr<ArrayBuffer> buffer = ArrayBuffer::create(WTFMove(m_sharedBuffers->at(index))); 2863 2863 JSValue result = getJSValue(buffer.get()); 2864 m_gcBuffer.append (result);2864 m_gcBuffer.appendWithCrashOnOverflow(result); 2865 2865 return result; 2866 2866 } … … 2871 2871 return JSValue(); 2872 2872 } 2873 m_gcBuffer.append (arrayBufferView);2873 m_gcBuffer.appendWithCrashOnOverflow(arrayBufferView); 2874 2874 return arrayBufferView; 2875 2875 } … … 2897 2897 return JSValue(); 2898 2898 } 2899 m_gcBuffer.append (cryptoKey);2899 m_gcBuffer.appendWithCrashOnOverflow(cryptoKey); 2900 2900 return cryptoKey; 2901 2901 } … … 2985 2985 if (UNLIKELY(scope.exception())) 2986 2986 goto error; 2987 m_gcBuffer.append (outArray);2987 m_gcBuffer.appendWithCrashOnOverflow(outArray); 2988 2988 outputObjectStack.append(outArray); 2989 2989 } … … 3026 3026 return std::make_pair(JSValue(), SerializationReturnCode::StackOverflowError); 3027 3027 JSObject* outObject = constructEmptyObject(m_exec, m_globalObject->objectPrototype()); 3028 m_gcBuffer.append (outObject);3028 m_gcBuffer.appendWithCrashOnOverflow(outObject); 3029 3029 outputObjectStack.append(outObject); 3030 3030 } … … 3063 3063 if (UNLIKELY(scope.exception())) 3064 3064 goto error; 3065 m_gcBuffer.append (map);3065 m_gcBuffer.appendWithCrashOnOverflow(map); 3066 3066 outputObjectStack.append(map); 3067 3067 mapStack.append(map); … … 3094 3094 if (UNLIKELY(scope.exception())) 3095 3095 goto error; 3096 m_gcBuffer.append (set);3096 m_gcBuffer.appendWithCrashOnOverflow(set); 3097 3097 outputObjectStack.append(set); 3098 3098 setStack.append(set); -
trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
r223930 r224309 6041 6041 push(@$contentRef, " args.append(" . NativeToJSValueUsingReferences($argument, $interfaceOrCallback, $argument->name, "globalObject") . ");\n"); 6042 6042 } 6043 push(@$contentRef, " ASSERT(!args.hasOverflowed());\n"); 6043 6044 6044 6045 push(@$contentRef, "\n NakedPtr<JSC::Exception> returnedException;\n"); -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp
r223476 r224309 66 66 MarkedArgumentBuffer args; 67 67 args.append(toJS<IDLLong>(argument)); 68 ASSERT(!args.hasOverflowed()); 68 69 69 70 NakedPtr<JSC::Exception> returnedException; -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp
r223476 r224309 69 69 MarkedArgumentBuffer args; 70 70 args.append(toJS<IDLSequence<IDLLong>>(state, globalObject, argument)); 71 ASSERT(!args.hasOverflowed()); 71 72 72 73 NakedPtr<JSC::Exception> returnedException; -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp
r223476 r224309 69 69 MarkedArgumentBuffer args; 70 70 args.append(toJS<IDLSequence<IDLInterface<TestNode>>>(state, globalObject, parameter)); 71 ASSERT(!args.hasOverflowed()); 71 72 72 73 NakedPtr<JSC::Exception> returnedException; -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp
r223476 r224309 70 70 args.append(toJS<IDLSequence<IDLNullable<IDLLong>>>(state, globalObject, sequenceArg)); 71 71 args.append(toJS<IDLLong>(longArg)); 72 ASSERT(!args.hasOverflowed()); 72 73 73 74 NakedPtr<JSC::Exception> returnedException; -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp
r223476 r224309 175 175 JSValue thisValue = jsUndefined(); 176 176 MarkedArgumentBuffer args; 177 ASSERT(!args.hasOverflowed()); 177 178 178 179 NakedPtr<JSC::Exception> returnedException; … … 201 202 MarkedArgumentBuffer args; 202 203 args.append(toJS<IDLFloat32Array>(state, globalObject, arrayParam)); 204 ASSERT(!args.hasOverflowed()); 203 205 204 206 NakedPtr<JSC::Exception> returnedException; … … 228 230 args.append(toJS<IDLSerializedScriptValue<SerializedScriptValue>>(state, globalObject, srzParam)); 229 231 args.append(toJS<IDLDOMString>(state, strParam)); 232 ASSERT(!args.hasOverflowed()); 230 233 231 234 NakedPtr<JSC::Exception> returnedException; … … 254 257 MarkedArgumentBuffer args; 255 258 args.append(toJS<IDLInterface<DOMStringList>>(state, globalObject, listParam)); 259 ASSERT(!args.hasOverflowed()); 256 260 257 261 NakedPtr<JSC::Exception> returnedException; … … 280 284 MarkedArgumentBuffer args; 281 285 args.append(toJS<IDLBoolean>(boolParam)); 286 ASSERT(!args.hasOverflowed()); 282 287 283 288 NakedPtr<JSC::Exception> returnedException; … … 307 312 args.append(toJS<IDLLong>(longParam)); 308 313 args.append(toJS<IDLInterface<TestNode>>(state, globalObject, testNodeParam)); 314 ASSERT(!args.hasOverflowed()); 309 315 310 316 NakedPtr<JSC::Exception> returnedException; … … 332 338 JSValue thisValue = jsUndefined(); 333 339 MarkedArgumentBuffer args; 340 ASSERT(!args.hasOverflowed()); 334 341 335 342 NakedPtr<JSC::Exception> returnedException; … … 361 368 MarkedArgumentBuffer args; 362 369 args.append(toJS<IDLEnumeration<TestCallbackInterface::Enum>>(state, enumParam)); 370 ASSERT(!args.hasOverflowed()); 363 371 364 372 NakedPtr<JSC::Exception> returnedException; … … 388 396 MarkedArgumentBuffer args; 389 397 args.append(toJS<IDLDictionary<TestCallbackInterface::Dictionary>>(state, globalObject, dictionaryParam)); 398 ASSERT(!args.hasOverflowed()); 390 399 391 400 NakedPtr<JSC::Exception> returnedException; … … 417 426 MarkedArgumentBuffer args; 418 427 args.append(toJS<IDLInterface<TestObj>>(state, globalObject, testObjParam)); 428 ASSERT(!args.hasOverflowed()); 419 429 420 430 NakedPtr<JSC::Exception> returnedException; -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp
r223476 r224309 81 81 args.append(toJS<IDLLong>(longParam)); 82 82 args.append(toJS<IDLInterface<TestNode>>(state, globalObject, testNodeParam)); 83 ASSERT(!args.hasOverflowed()); 83 84 84 85 NakedPtr<JSC::Exception> returnedException; -
trunk/Source/WebCore/bridge/NP_jsobject.cpp
r223476 r224309 1 1 /* 2 * Copyright (C) 2004 , 2006Apple Inc. All rights reserved.2 * Copyright (C) 2004-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 196 196 MarkedArgumentBuffer argList; 197 197 getListFromVariantArgs(exec, args, argCount, rootObject, argList); 198 RELEASE_ASSERT(!argList.hasOverflowed()); 198 199 JSValue resultV = JSC::call(exec, function, callType, callData, function, argList); 199 200 … … 248 249 MarkedArgumentBuffer argList; 249 250 getListFromVariantArgs(exec, args, argCount, rootObject, argList); 251 RELEASE_ASSERT(!argList.hasOverflowed()); 250 252 JSValue resultV = JSC::call(exec, function, callType, callData, obj->imp, argList); 251 253 … … 537 539 MarkedArgumentBuffer argList; 538 540 getListFromVariantArgs(exec, args, argCount, rootObject, argList); 541 RELEASE_ASSERT(!argList.hasOverflowed()); 539 542 JSValue resultV = JSC::construct(exec, constructor, constructType, constructData, argList); 540 543 -
trunk/Source/WebCore/bridge/objc/WebScriptObject.mm
r221822 r224309 1 1 /* 2 * Copyright (C) 2004 , 2006, 2007, 2008, 2013Apple Inc. All rights reserved.2 * Copyright (C) 2004-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 352 352 353 353 MarkedArgumentBuffer argList; 354 ASSERT(!argList.hasOverflowed()); 354 355 getListFromNSArray(exec, args, [self _rootObject], argList); 355 356 -
trunk/Source/WebCore/html/HTMLMediaElement.cpp
r224085 r224309 4278 4278 4279 4279 JSC::MarkedArgumentBuffer noArguments; 4280 ASSERT(!noArguments.hasOverflowed()); 4280 4281 JSC::call(exec, methodObject, callType, callData, controllerObject, noArguments); 4281 4282 scope.clearException(); … … 7073 7074 argList.append(mediaJSWrapper); 7074 7075 argList.append(mediaControlsHostJSWrapper); 7076 ASSERT(!argList.hasOverflowed()); 7075 7077 7076 7078 JSC::JSObject* function = functionValue.toObject(exec); … … 7166 7168 7167 7169 JSC::MarkedArgumentBuffer argList; 7170 ASSERT(!argList.hasOverflowed()); 7168 7171 JSC::call(exec, function, callType, callData, controllerObject, argList); 7169 7172 } … … 7205 7208 JSC::CallType callType = function->methodTable(vm)->getCallData(function, callData); 7206 7209 JSC::MarkedArgumentBuffer argList; 7210 ASSERT(!argList.hasOverflowed()); 7207 7211 if (callType == JSC::CallType::None) 7208 7212 return emptyString(); -
trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp
r223644 r224309 378 378 // If no snapshot was found then we want the overlay to be visible. 379 379 argList.append(toJS<IDLBoolean>(!m_snapshotImage)); 380 ASSERT(!argList.hasOverflowed()); 380 381 381 382 // It is expected the JS file provides a createOverlay(shadowRoot, title, subtitle) function. -
trunk/Source/WebCore/testing/Internals.cpp
r224260 r224309 3848 3848 arguments.append(srcByteOffset); 3849 3849 arguments.append(srcLength); 3850 ASSERT(!arguments.hasOverflowed()); 3850 3851 3851 3852 return JSC::call(&state, function, callType, callData, JSC::jsUndefined(), arguments);
Note: See TracChangeset
for help on using the changeset viewer.