Changeset 224309 in webkit

Timestamp:

Nov 1, 2017 6:54:43 PM (6 years ago)

Author:

mark.lam@apple.com

Message:

Add support to throw OOM if MarkedArgumentBuffer may overflow.
​https://bugs.webkit.org/show_bug.cgi?id=179092
<rdar://problem/35116160>

Reviewed by Saam Barati.

Source/JavaScriptCore:

The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
time, which renders it unsuitable for automated tests. Instead, I've run a
test manually to verify that an OutOfMemoryError will be thrown when an overflow
occurs.

The MarkedArgumentBuffer's destructor will now assert that the client has indeed
checked for an overflow after invoking methods that may result in an overflow i.e.
the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
This is only done on debug builds.

• API/JSObjectRef.cpp:

(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeRegExp):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):

• dfg/DFGOperations.cpp:
• inspector/InjectedScriptManager.cpp:

(Inspector::InjectedScriptManager::createInjectedScript):

• inspector/JSJavaScriptCallFrame.cpp:

(Inspector::JSJavaScriptCallFrame::scopeChain const):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::executeProgram):

• jsc.cpp:

(functionDollarAgentReceiveBroadcast):

• runtime/ArgList.cpp:

(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
(JSC::MarkedArgumentBuffer::slowAppend):

• runtime/ArgList.h:

(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::appendWithAction):
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
(JSC::MarkedArgumentBuffer::hasOverflowed):
(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):

• runtime/ArrayPrototype.cpp:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/GetterSetter.cpp:

(JSC::callSetter):

• runtime/IteratorOperations.cpp:

(JSC::iteratorNext):
(JSC::iteratorClose):

• runtime/JSBoundFunction.cpp:

(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):

• runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::haveABadTime):

• runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

• runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

• runtime/JSMapIterator.cpp:

(JSC::JSMapIterator::createPair):

• runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

• runtime/JSONObject.cpp:

(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Walker::callReviver):

• runtime/JSObject.cpp:

(JSC::ordinarySetSlow):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::hasInstance):

• runtime/JSPromise.cpp:

(JSC::JSPromise::initialize):
(JSC::JSPromise::resolve):

• runtime/JSPromiseDeferred.cpp:

(JSC::newPromiseCapability):
(JSC::callFunction):

• runtime/JSSetIterator.cpp:

(JSC::JSSetIterator::createPair):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/ObjectConstructor.cpp:

(JSC::defineProperties):

• runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

• runtime/ReflectObject.cpp:

(JSC::reflectObjectConstruct):

• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/StringPrototype.cpp:

(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):

• runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

• runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

• wasm/js/WasmToJS.cpp:

(JSC::Wasm::wasmToJS):

Source/WebCore:

No new tests. The test for overflowing a MarkedArgumentBuffer will run for a
ridiculously long time, which renders it unsuitable for automated tests.

• Modules/plugins/QuickTimePluginReplacement.mm:

(WebCore::QuickTimePluginReplacement::installReplacement):

• bindings/js/JSCustomElementInterface.cpp:

(WebCore::constructCustomElementSynchronously):
(WebCore::JSCustomElementInterface::upgradeElement):
(WebCore::JSCustomElementInterface::invokeCallback):

• bindings/js/JSCustomXPathNSResolver.cpp:

(WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):

• bindings/js/JSDOMBuiltinConstructorBase.cpp:

(WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments):

• bindings/js/JSDOMConvertSequences.h:

(WebCore::JSConverter<IDLSequence<T>>::convert):
(WebCore::JSConverter<IDLFrozenArray<T>>::convert):

• bindings/js/JSDOMConvertWebGL.cpp:

(WebCore::convertToJSValue):

• bindings/js/JSDOMIterator.h:

(WebCore::jsPair):
(WebCore::iteratorForEach):

• bindings/js/JSDOMMapLike.cpp:

(WebCore::forwardFunctionCallToBackingMap):
(WebCore::forwardForEachCallToBackingMap):

• bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::createRejectedPromiseWithTypeError):

• bindings/js/JSErrorHandler.cpp:

(WebCore::JSErrorHandler::handleEvent):

• bindings/js/JSEventListener.cpp:

(WebCore::JSEventListener::handleEvent):

• bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction const):

• bindings/js/JSPluginElementFunctions.cpp:

(WebCore::callPlugin):

• bindings/js/JSReadableStreamPrivateConstructors.cpp:

(WebCore::constructJSReadableStreamReaderGeneric):

• bindings/js/ReadableStream.cpp:

(WebCore::ReadableStream::create):
(WebCore::ReadableStream::pipeTo):
(WebCore::ReadableStream::tee):
(WebCore::ReadableStream::lock):
(WebCore::checkReadableStream):

• bindings/js/ReadableStreamDefaultController.cpp:

(WebCore::ReadableStreamDefaultController::invoke):

• bindings/js/ScheduledAction.cpp:

(WebCore::ScheduledAction::executeFunctionInContext):

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::recordObject):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateCallbackImplementationContent):

• bindings/scripts/test/JS/JSTestCallbackFunction.cpp:

(WebCore::JSTestCallbackFunction::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp:

(WebCore::JSTestCallbackFunctionRethrow::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp:

(WebCore::JSTestCallbackFunctionWithThisObject::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp:

(WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent):

• bindings/scripts/test/JS/JSTestCallbackInterface.cpp:

(WebCore::JSTestCallbackInterface::callbackWithNoParam):
(WebCore::JSTestCallbackInterface::callbackWithArrayParam):
(WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam):
(WebCore::JSTestCallbackInterface::callbackWithStringList):
(WebCore::JSTestCallbackInterface::callbackWithBoolean):
(WebCore::JSTestCallbackInterface::callbackRequiresThisToPass):
(WebCore::JSTestCallbackInterface::callbackWithAReturnValue):
(WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions):
(WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck):
(WebCore::JSTestCallbackInterface::callbackWithThisObject):

• bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp:

(WebCore::JSTestVoidCallbackFunction::handleEvent):

• bridge/NP_jsobject.cpp:
• bridge/objc/WebScriptObject.mm:

(-[WebScriptObject callWebScriptMethod:withArguments:]):

• html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::updateCaptionContainer):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):

• html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):

• testing/Internals.cpp:

(WebCore::Internals::cloneArrayBuffer):

Location:

trunk/Source

Files:

• JavaScriptCore/API/JSObjectRef.cpp (modified) (6 diffs)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• JavaScriptCore/inspector/InjectedScriptManager.cpp (modified) (2 diffs)
• JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp (modified) (3 diffs)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• JavaScriptCore/jsc.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ArgList.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ArgList.h (modified) (8 diffs)
• JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (1 diff)
• JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• JavaScriptCore/runtime/GetterSetter.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/IteratorOperations.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSBoundFunction.cpp (modified) (8 diffs)
• JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSInternalPromise.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSJob.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSMapIterator.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSModuleLoader.cpp (modified) (6 diffs)
• JavaScriptCore/runtime/JSONObject.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSPromise.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSPromiseDeferred.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSSetIterator.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/LiteralParser.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/MapConstructor.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ProxyObject.cpp (modified) (14 diffs)
• JavaScriptCore/runtime/ReflectObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/SetConstructor.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/StringPrototype.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/WeakMapConstructor.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/WeakSetConstructor.cpp (modified) (2 diffs)
• JavaScriptCore/wasm/js/WasmToJS.cpp (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/Modules/plugins/QuickTimePluginReplacement.mm (modified) (1 diff)
• WebCore/bindings/js/JSCustomElementInterface.cpp (modified) (4 diffs)
• WebCore/bindings/js/JSCustomXPathNSResolver.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMBuiltinConstructorBase.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSDOMConvertSequences.h (modified) (3 diffs)
• WebCore/bindings/js/JSDOMConvertWebGL.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMIterator.h (modified) (3 diffs)
• WebCore/bindings/js/JSDOMMapLike.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMPromiseDeferred.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSErrorHandler.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSEventListener.cpp (modified) (1 diff)
• WebCore/bindings/js/JSLazyEventListener.cpp (modified) (1 diff)
• WebCore/bindings/js/JSPluginElementFunctions.cpp (modified) (1 diff)
• WebCore/bindings/js/JSReadableStreamPrivateConstructors.cpp (modified) (2 diffs)
• WebCore/bindings/js/ReadableStream.cpp (modified) (5 diffs)
• WebCore/bindings/js/ReadableStreamDefaultController.cpp (modified) (1 diff)
• WebCore/bindings/js/ScheduledAction.cpp (modified) (3 diffs)
• WebCore/bindings/js/SerializedScriptValue.cpp (modified) (18 diffs)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp (modified) (10 diffs)
• WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp (modified) (1 diff)
• WebCore/bridge/NP_jsobject.cpp (modified) (4 diffs)
• WebCore/bridge/objc/WebScriptObject.mm (modified) (2 diffs)
• WebCore/html/HTMLMediaElement.cpp (modified) (4 diffs)
• WebCore/html/HTMLPlugInImageElement.cpp (modified) (1 diff)
• WebCore/testing/Internals.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -152 +152 @@
         args.append(jsString(exec, parameterNames[i]->string()));
     args.append(jsString(exec, body->string()));
+    if (UNLIKELY(args.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     auto sourceURLString = sourceURL ? sourceURL->string() : String();
@@ -176 +182 @@
         for (size_t i = 0; i < argumentCount; ++i)
             argList.append(toJS(exec, arguments[i]));
+        if (UNLIKELY(argList.hasOverflowed())) {
+            auto throwScope = DECLARE_THROW_SCOPE(vm);
+            throwOutOfMemoryError(exec, throwScope);
+            handleExceptionIfNeeded(scope, exec, exception);
+            return 0;
+        }
 
         result = constructArray(exec, static_cast<ArrayAllocationProfile*>(0), argList);
@@ -201 +213 @@
     for (size_t i = 0; i < argumentCount; ++i)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), JSValue(), argList);
@@ -244 +262 @@
     for (size_t i = 0; i < argumentCount; ++i)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList);
@@ -582 +606 @@
     for (size_t i = 0; i < argumentCount; i++)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     CallData callData;
@@ -623 +653 @@
     for (size_t i = 0; i < argumentCount; i++)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     JSObjectRef result = toRef(profiledConstruct(exec, ProfilingReason::API, jsObject, constructType, constructData, argList));

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-11-01  Mark Lam  <mark.lam@apple.com>
+
+        Add support to throw OOM if MarkedArgumentBuffer may overflow.
+        https://bugs.webkit.org/show_bug.cgi?id=179092
+        <rdar://problem/35116160>
+
+        Reviewed by Saam Barati.
+
+        The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
+        time, which renders it unsuitable for automated tests.  Instead, I've run a
+        test manually to verify that an OutOfMemoryError will be thrown when an overflow
+        occurs.
+
+        The MarkedArgumentBuffer's destructor will now assert that the client has indeed
+        checked for an overflow after invoking methods that may result in an overflow i.e.
+        the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
+        This is only done on debug builds.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectMakeFunction):
+        (JSObjectMakeArray):
+        (JSObjectMakeDate):
+        (JSObjectMakeRegExp):
+        (JSObjectCallAsFunction):
+        (JSObjectCallAsConstructor):
+        * dfg/DFGOperations.cpp:
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::createInjectedScript):
+        * inspector/JSJavaScriptCallFrame.cpp:
+        (Inspector::JSJavaScriptCallFrame::scopeChain const):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        * jsc.cpp:
+        (functionDollarAgentReceiveBroadcast):
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
+        (JSC::MarkedArgumentBuffer::expandCapacity):
+        (JSC::MarkedArgumentBuffer::slowAppend):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
+        (JSC::MarkedArgumentBuffer::appendWithAction):
+        (JSC::MarkedArgumentBuffer::append):
+        (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
+        (JSC::MarkedArgumentBuffer::hasOverflowed):
+        (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
+        (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
+        * runtime/ArrayPrototype.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/GetterSetter.cpp:
+        (JSC::callSetter):
+        * runtime/IteratorOperations.cpp:
+        (JSC::iteratorNext):
+        (JSC::iteratorClose):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::boundThisNoArgsFunctionCall):
+        (JSC::boundFunctionCall):
+        (JSC::boundThisNoArgsFunctionConstruct):
+        (JSC::boundFunctionConstruct):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewFromIterator):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncSlice):
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::haveABadTime):
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+        * runtime/JSJob.cpp:
+        (JSC::JSJobMicrotask::run):
+        * runtime/JSMapIterator.cpp:
+        (JSC::JSMapIterator::createPair):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::provideFetch):
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::linkAndEvaluateModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::toJSONImpl):
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::Walker::callReviver):
+        * runtime/JSObject.cpp:
+        (JSC::ordinarySetSlow):
+        (JSC::callToPrimitiveFunction):
+        (JSC::JSObject::hasInstance):
+        * runtime/JSPromise.cpp:
+        (JSC::JSPromise::initialize):
+        (JSC::JSPromise::resolve):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::newPromiseCapability):
+        (JSC::callFunction):
+        * runtime/JSSetIterator.cpp:
+        (JSC::JSSetIterator::createPair):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser<CharType>::parse):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::defineProperties):
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::performPut):
+        (JSC::performProxyCall):
+        (JSC::performProxyConstruct):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performPreventExtensions):
+        (JSC::ProxyObject::performIsExtensible):
+        (JSC::ProxyObject::performDefineOwnProperty):
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        (JSC::ProxyObject::performSetPrototype):
+        (JSC::ProxyObject::performGetPrototype):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+        (JSC::replaceUsingStringSearch):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::constructWeakMap):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::constructWeakSet):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+
 2017-11-01  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -2407 +2407 @@
         MarkedArgumentBuffer arguments;
         arguments.append(iterable);
+        ASSERT(!arguments.hasOverflowed());
         JSValue arrayResult = call(exec, iterationFunction, callType, callData, jsNull(), arguments);
         RETURN_IF_EXCEPTION(throwScope, nullptr);

trunk/Source/JavaScriptCore/inspector/InjectedScriptManager.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2008, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Matt Lilek <webkit@mattlilek.com>
  * Copyright (C) 2012 Google Inc. All rights reserved.
@@ -159 +159 @@
     args.append(globalThisValue);
     args.append(jsNumber(id));
+    ASSERT(!args.hasOverflowed());
 
     JSValue result = JSC::call(scriptState, functionValue, callType, callData, globalThisValue, args);

trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -181 +181 @@
 JSValue JSJavaScriptCallFrame::scopeChain(ExecState* exec) const
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     if (!impl().scopeChain())
         return jsNull();
@@ -196 +199 @@
         ++iter;
     } while (iter != end);
+    if (UNLIKELY(list.hasOverflowed())) {
+        throwOutOfMemoryError(exec, scope);
+        return { };
+    }
 
     return constructArray(exec, nullptr, globalObject(), list);

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -863 +863 @@
                 MarkedArgumentBuffer jsonArg;
                 jsonArg.append(JSONPValue);
+                ASSERT(!jsonArg.hasOverflowed());
                 JSValue thisValue = JSONPPath.size() == 1 ? jsUndefined(): baseObject;
                 JSONPValue = JSC::call(callFrame, function, callType, callData, thisValue, jsonArg);

trunk/Source/JavaScriptCore/jsc.cpp

@@ -2912 +2912 @@
     args.append(jsBuffer);
     args.append(jsNumber(message->index()));
+    if (UNLIKELY(args.hasOverflowed()))
+        return JSValue::encode(throwOutOfMemoryError(exec, scope));
     scope.release();
     return JSValue::encode(call(exec, callback, callType, callData, jsNull(), args));

trunk/Source/JavaScriptCore/runtime/ArgList.cpp

@@ -66 +66 @@
 void MarkedArgumentBuffer::slowEnsureCapacity(size_t requestedCapacity)
 {
-    int newCapacity = Checked<int>(requestedCapacity).unsafeGet();
-    expandCapacity(newCapacity);
+    setNeedsOverflowCheck();
+    auto checkedNewCapacity = Checked<int, RecordOverflow>(requestedCapacity);
+    if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
+        return this->overflowed();
+    expandCapacity(checkedNewCapacity.unsafeGet());
 }
 
 void MarkedArgumentBuffer::expandCapacity()
 {
-    int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet();
-    expandCapacity(newCapacity);
+    setNeedsOverflowCheck();
+    auto checkedNewCapacity = Checked<int, RecordOverflow>(m_capacity) * 2;
+    if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
+        return this->overflowed();
+    expandCapacity(checkedNewCapacity.unsafeGet());
 }
 
 void MarkedArgumentBuffer::expandCapacity(int newCapacity)
 {
+    setNeedsOverflowCheck();
     ASSERT(m_capacity < newCapacity);
-    size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet();
-    EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size));
+    auto checkedSize = Checked<size_t, RecordOverflow>(newCapacity) * sizeof(EncodedJSValue);
+    if (UNLIKELY(checkedSize.hasOverflowed()))
+        return this->overflowed();
+    EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(checkedSize.unsafeGet()));
     for (int i = 0; i < m_size; ++i) {
         newBuffer[i] = m_buffer[i];
@@ -98 +107 @@
     if (m_size == m_capacity)
         expandCapacity();
+    if (UNLIKELY(Base::hasOverflowed())) {
+        ASSERT(m_needsOverflowCheck);
+        return;
+    }
 
     slotFor(m_size) = JSValue::encode(v);

trunk/Source/JavaScriptCore/runtime/ArgList.h

@@ -23 +23 @@
 
 #include "CallFrame.h"
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/ForbidHeapAllocation.h>
 #include <wtf/HashSet.h>
@@ -28 +29 @@
 namespace JSC {
 
-class MarkedArgumentBuffer {
+class MarkedArgumentBuffer : public RecordOverflow {
     WTF_MAKE_NONCOPYABLE(MarkedArgumentBuffer);
     WTF_FORBID_HEAP_ALLOCATION;
@@ -35 +36 @@
 
 private:
+    using Base = RecordOverflow;
     static const size_t inlineCapacity = 8;
     typedef HashSet<MarkedArgumentBuffer*> ListSet;
@@ -51 +53 @@
     ~MarkedArgumentBuffer()
     {
+        ASSERT(!m_needsOverflowCheck);
         if (m_markSet)
             m_markSet->remove(this);
@@ -74 +77 @@
     }
 
-    void append(JSValue v)
+    enum OverflowCheckAction {
+        CrashOnOverflow,
+        WillCheckLater
+    };
+    template<OverflowCheckAction action>
+    void appendWithAction(JSValue v)
     {
         ASSERT(m_size <= m_capacity);
-        if (m_size == m_capacity || mallocBase())
-            return slowAppend(v);
+        if (m_size == m_capacity || mallocBase()) {
+            slowAppend(v);
+            if (action == CrashOnOverflow)
+                RELEASE_ASSERT(!hasOverflowed());
+            return;
+        }
 
         slotFor(m_size) = JSValue::encode(v);
         ++m_size;
     }
+    void append(JSValue v) { appendWithAction<WillCheckLater>(v); }
+    void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }
 
     void removeLast()
@@ -104 +118 @@
     }
 
+    bool hasOverflowed()
+    {
+        clearNeedsOverflowCheck();
+        return Base::hasOverflowed();
+    }
+
 private:
     void expandCapacity();
@@ -112 +132 @@
 
     JS_EXPORT_PRIVATE void slowAppend(JSValue);
-        
+
     EncodedJSValue& slotFor(int item) const
     {
@@ -124 +144 @@
         return &slotFor(0);
     }
-        
+
+#if ASSERT_DISABLED
+    void setNeedsOverflowCheck() { }
+    void clearNeedsOverflowCheck() { }
+#else
+    void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }
+    void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; }
+
+    bool m_needsOverflowCheck { false };
+#endif
     int m_size;
     int m_capacity;

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -255 +255 @@
     MarkedArgumentBuffer args;
     args.append(jsNumber(length));
+    ASSERT(!args.hasOverflowed());
     JSObject* newObject = construct(exec, constructor, args, "Species construction did not get a valid constructor");
     RETURN_IF_EXCEPTION(scope, exceptionResult());

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -1096 +1096 @@
         MarkedArgumentBuffer arguments;
         arguments.append(iterable);
+        ASSERT(!arguments.hasOverflowed());
         JSValue arrayResult = call(exec, iterationFunction, callType, callData, jsNull(), arguments);
         CHECK_EXCEPTION();

trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2004, 2007-2009, 2014, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -102 +102 @@
     MarkedArgumentBuffer args;
     args.append(value);
+    ASSERT(!args.hasOverflowed());
 
     CallData callData;

trunk/Source/JavaScriptCore/runtime/IteratorOperations.cpp

@@ -53 +53 @@
     if (!argument.isEmpty())
         nextFunctionArguments.append(argument);
+    ASSERT(!nextFunctionArguments.hasOverflowed());
     JSValue result = call(exec, nextFunction, nextFunctionCallType, nextFunctionCallData, iterator, nextFunctionArguments);
     RETURN_IF_EXCEPTION(scope, JSValue());
@@ -118 +119 @@
 
     MarkedArgumentBuffer returnFunctionArguments;
+    ASSERT(!returnFunctionArguments.hasOverflowed());
     JSValue innerResult = call(exec, returnFunction, returnFunctionCallType, returnFunctionCallData, iterationRecord.iterator, returnFunctionArguments);
 

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

@@ -42 +42 @@
     for (unsigned i = 0; i < exec->argumentCount(); ++i)
         args.append(exec->uncheckedArgument(i));
+    RELEASE_ASSERT(!args.hasOverflowed());
 
     JSFunction* targetFunction = jsCast<JSFunction*>(boundFunction->targetFunction());
@@ -57 +58 @@
 EncodedJSValue JSC_HOST_CALL boundFunctionCall(ExecState* exec)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSBoundFunction* boundFunction = jsCast<JSBoundFunction*>(exec->jsCallee());
 
@@ -68 +71 @@
     for (unsigned i = 0; i < exec->argumentCount(); ++i)
         args.append(exec->uncheckedArgument(i));
+    if (UNLIKELY(args.hasOverflowed())) {
+        throwOutOfMemoryError(exec, scope);
+        return encodedJSValue();
+    }
 
     JSObject* targetFunction = boundFunction->targetFunction();
@@ -73 +80 @@
     CallType callType = getCallData(targetFunction, callData);
     ASSERT(callType != CallType::None);
+    scope.release();
     return JSValue::encode(call(exec, targetFunction, callType, callData, boundFunction->boundThis(), args));
 }
@@ -83 +91 @@
     for (unsigned i = 0; i < exec->argumentCount(); ++i)
         args.append(exec->uncheckedArgument(i));
+    RELEASE_ASSERT(!args.hasOverflowed());
 
     JSFunction* targetFunction = jsCast<JSFunction*>(boundFunction->targetFunction());
@@ -93 +102 @@
 EncodedJSValue JSC_HOST_CALL boundFunctionConstruct(ExecState* exec)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSBoundFunction* boundFunction = jsCast<JSBoundFunction*>(exec->jsCallee());
 
@@ -104 +115 @@
     for (unsigned i = 0; i < exec->argumentCount(); ++i)
         args.append(exec->uncheckedArgument(i));
+    if (UNLIKELY(args.hasOverflowed())) {
+        throwOutOfMemoryError(exec, scope);
+        return encodedJSValue();
+    }
 
     JSObject* targetFunction = boundFunction->targetFunction();
@@ -109 +124 @@
     ConstructType constructType = getConstructData(targetFunction, constructData);
     ASSERT(constructType != ConstructType::None);
+    scope.release();
     return JSValue::encode(construct(exec, targetFunction, constructType, constructData, args));
 }

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -86 +86 @@
     forEachInIterable(*exec, iterable, iteratorMethod, [&] (VM&, ExecState&, JSValue value) {
         storage.append(value);
+        if (UNLIKELY(storage.hasOverflowed())) {
+            throwOutOfMemoryError(exec, scope);
+            return;
+        }
     });
     RETURN_IF_EXCEPTION(scope, nullptr);

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

@@ -450 +450 @@
     MarkedArgumentBuffer args;
     args.append(jsNumber(length));
+    ASSERT(!args.hasOverflowed());
 
     JSArrayBufferView* result = speciesConstruct(exec, thisObject, args, [&]() {
@@ -564 +565 @@
     args.append(jsNumber(newByteOffset));
     args.append(jsNumber(length));
+    ASSERT(!args.hasOverflowed());
 
     JSObject* result = construct(exec, species, args, "species is not a constructor");

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -1216 +1216 @@
         vm.heap.objectSpace().forEachLiveCell(iterationScope, finder);
     }
+    RELEASE_ASSERT(!foundObjects.hasOverflowed());
     while (!foundObjects.isEmpty()) {
         JSObject* object = asObject(foundObjects.last());

trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -65 +65 @@
     arguments.append(onFulfilled ? onFulfilled : jsUndefined());
     arguments.append(onRejected ? onRejected : jsUndefined());
+    ASSERT(!arguments.hasOverflowed());
 
     scope.release();

trunk/Source/JavaScriptCore/runtime/JSJob.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -77 +77 @@
         handlerArguments.append(arg);
     }
+    if (UNLIKELY(handlerArguments.hasOverflowed()))
+        return;
     profiledCall(exec, ProfilingReason::Microtask, m_job.get(), handlerCallType, handlerCallData, jsUndefined(), handlerArguments);
     scope.clearException();

trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -55 +55 @@
     args.append(key);
     args.append(value);
+    ASSERT(!args.hasOverflowed());
     JSGlobalObject* globalObject = callFrame->jsCallee()->globalObject();
     return constructArray(callFrame, 0, globalObject, args);

trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All Rights Reserved.
  * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>.
  *
@@ -95 +95 @@
     arguments.append(key);
     arguments.append(JSSourceCode::create(vm, WTFMove(source)));
+    ASSERT(!arguments.hasOverflowed());
 
     scope.release();
@@ -115 +116 @@
     arguments.append(parameters);
     arguments.append(scriptFetcher);
+    ASSERT(!arguments.hasOverflowed());
 
     scope.release();
@@ -135 +137 @@
     arguments.append(parameters);
     arguments.append(scriptFetcher);
+    ASSERT(!arguments.hasOverflowed());
 
     scope.release();
@@ -154 +157 @@
     arguments.append(moduleKey);
     arguments.append(scriptFetcher);
+    ASSERT(!arguments.hasOverflowed());
 
     scope.release();
@@ -174 +178 @@
     arguments.append(parameters);
     arguments.append(scriptFetcher);
+    ASSERT(!arguments.hasOverflowed());
 
     scope.release();

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -314 +314 @@
     MarkedArgumentBuffer args;
     args.append(propertyName.value(m_exec));
+    ASSERT(!args.hasOverflowed());
     return call(m_exec, asObject(toJSONFunction), callType, callData, value, args);
 }
@@ -331 +332 @@
         args.append(propertyName.value(m_exec));
         args.append(value);
+        ASSERT(!args.hasOverflowed());
         value = call(m_exec, m_replacer.get(), m_replacerCallType, m_replacerCallData, holder.object(), args);
         RETURN_IF_EXCEPTION(scope, StringifyFailed);
@@ -610 +612 @@
         args.append(property);
         args.append(unfiltered);
+        ASSERT(!args.hasOverflowed());
         return call(m_exec, m_function.get(), m_callType, m_callData, thisObj, args);
     }

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -741 +741 @@
     MarkedArgumentBuffer args;
     args.append(value);
+    ASSERT(!args.hasOverflowed());
 
     CallData callData;
@@ -1939 +1940 @@
         callArgs.append(hintString);
     }
+    ASSERT(!callArgs.hasOverflowed());
 
     JSValue result = call(exec, function, callType, callData, const_cast<JSObject*>(object), callArgs);
@@ -2053 +2055 @@
         MarkedArgumentBuffer args;
         args.append(value);
+        ASSERT(!args.hasOverflowed());
         JSValue result = call(exec, hasInstanceValue, callType, callData, this, args);
         RETURN_IF_EXCEPTION(scope, false);

trunk/Source/JavaScriptCore/runtime/JSPromise.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -71 +71 @@
     MarkedArgumentBuffer arguments;
     arguments.append(executor);
+    ASSERT(!arguments.hasOverflowed());
     call(exec, initializePromise, callType, callData, this, arguments);
 }
@@ -106 +107 @@
     MarkedArgumentBuffer arguments;
     arguments.append(value);
+    ASSERT(!arguments.hasOverflowed());
     auto result = call(exec, promiseResolveFunction, callType, callData, globalObject.promiseConstructor(), arguments);
     RETURN_IF_EXCEPTION(scope, nullptr);

trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -49 +49 @@
     MarkedArgumentBuffer arguments;
     arguments.append(promiseConstructor);
+    ASSERT(!arguments.hasOverflowed());
     return call(exec, newPromiseCapabilityFunction, callType, callData, jsUndefined(), arguments);
 }
@@ -97 +98 @@
     MarkedArgumentBuffer arguments;
     arguments.append(value);
+    ASSERT(!arguments.hasOverflowed());
 
     call(exec, function, callType, callData, jsUndefined(), arguments);

trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -55 +55 @@
     args.append(key);
     args.append(value);
+    ASSERT(!args.hasOverflowed());
     JSGlobalObject* globalObject = callFrame->jsCallee()->globalObject();
     return constructArray(callFrame, 0, globalObject, args);

trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Mathias Bynens (mathias@qiwi.be)
  *
@@ -594 +594 @@
                 JSArray* array = constructEmptyArray(m_exec, 0);
                 RETURN_IF_EXCEPTION(scope, JSValue());
-                objectStack.append(array);
+                objectStack.appendWithCrashOnOverflow(array);
             }
             doParseArrayStartExpression:
@@ -635 +635 @@
             case StartParseObject: {
                 JSObject* object = constructEmptyObject(m_exec);
-                objectStack.append(object);
+                objectStack.appendWithCrashOnOverflow(object);
 
                 TokenType type = m_lexer.next();

trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -106 +106 @@
         arguments.append(key);
         arguments.append(value);
+        ASSERT(!arguments.hasOverflowed());
         scope.release();
         call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, map, arguments);

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -570 +570 @@
         }
     }
+    RELEASE_ASSERT(!markBuffer.hasOverflowed());
     for (size_t i = 0; i < numProperties; i++) {
         auto& propertyName = propertyNames[i];

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -166 +166 @@
     arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
     arguments.append(receiver);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, getHandler, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, { });
@@ -238 +239 @@
     arguments.append(target);
     arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, getOwnPropertyDescriptorMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -346 +348 @@
     arguments.append(target);
     arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, hasMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -453 +456 @@
     arguments.append(putValue);
     arguments.append(thisValue);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, setMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -547 +551 @@
     arguments.append(exec->thisValue());
     arguments.append(argArray);
+    ASSERT(!arguments.hasOverflowed());
     scope.release();
     return JSValue::encode(call(exec, applyMethod, callType, callData, handler, arguments));
@@ -599 +604 @@
     arguments.append(argArray);
     arguments.append(exec->newTarget());
+    ASSERT(!arguments.hasOverflowed());
     JSValue result = call(exec, constructMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
@@ -656 +662 @@
     arguments.append(target);
     arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, deletePropertyMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -729 +736 @@
     MarkedArgumentBuffer arguments;
     arguments.append(target);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, preventExtensionsMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -783 +791 @@
     MarkedArgumentBuffer arguments;
     arguments.append(target);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, isExtensibleMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -853 +862 @@
     arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
     arguments.append(descriptorObject);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, definePropertyMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -937 +947 @@
     MarkedArgumentBuffer arguments;
     arguments.append(target);
+    ASSERT(!arguments.hasOverflowed());
     JSValue arrayLikeObject = call(exec, ownKeysMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, void());
@@ -1088 +1099 @@
     arguments.append(target);
     arguments.append(prototype);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, setPrototypeOfMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, false);
@@ -1151 +1163 @@
     MarkedArgumentBuffer arguments;
     arguments.append(target);
+    ASSERT(!arguments.hasOverflowed());
     JSValue trapResult = call(exec, getPrototypeOfMethod, callType, callData, handler, arguments);
     RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp

@@ -122 +122 @@
     });
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    if (UNLIKELY(arguments.hasOverflowed())) {
+        throwOutOfMemoryError(exec, scope);
+        return encodedJSValue();
+    }
 
     scope.release();

trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -93 +93 @@
         MarkedArgumentBuffer arguments;
         arguments.append(nextValue);
+        ASSERT(!arguments.hasOverflowed());
         call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, set, arguments);
     });

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -720 +720 @@
                 if (hasNamedCaptures)
                     args.append(groups);
+                if (UNLIKELY(args.hasOverflowed())) {
+                    throwOutOfMemoryError(exec, scope);
+                    return encodedJSValue();
+                }
 
                 JSValue replacement = call(exec, replaceValue, callType, callData, jsUndefined(), args);
@@ -836 +840 @@
         args.append(jsNumber(matchStart));
         args.append(jsString);
+        ASSERT(!args.hasOverflowed());
         replaceValue = call(exec, replaceValue, callType, callData, jsUndefined(), args);
         RETURN_IF_EXCEPTION(scope, encodedJSValue());

trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -91 +91 @@
         arguments.append(key);
         arguments.append(value);
+        ASSERT(!arguments.hasOverflowed());
         scope.release();
         call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, weakMap, arguments);

trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -78 +78 @@
         MarkedArgumentBuffer arguments;
         arguments.append(nextValue);
+        ASSERT(!arguments.hasOverflowed());
         call(exec, adderFunction, adderFunctionCallType, adderFunctionCallData, weakSet, arguments);
     });

trunk/Source/JavaScriptCore/wasm/js/WasmToJS.cpp

@@ -248 +248 @@
                     args.append(arg);
                 }
+                if (UNLIKELY(args.hasOverflowed())) {
+                    throwOutOfMemoryError(exec, throwScope);
+                    return 0;
+                }
 
                 CallData callData;

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-11-01  Mark Lam  <mark.lam@apple.com>
+
+        Add support to throw OOM if MarkedArgumentBuffer may overflow.
+        https://bugs.webkit.org/show_bug.cgi?id=179092
+        <rdar://problem/35116160>
+
+        Reviewed by Saam Barati.
+
+        No new tests.  The test for overflowing a MarkedArgumentBuffer will run for a
+        ridiculously long time, which renders it unsuitable for automated tests.
+
+        * Modules/plugins/QuickTimePluginReplacement.mm:
+        (WebCore::QuickTimePluginReplacement::installReplacement):
+        * bindings/js/JSCustomElementInterface.cpp:
+        (WebCore::constructCustomElementSynchronously):
+        (WebCore::JSCustomElementInterface::upgradeElement):
+        (WebCore::JSCustomElementInterface::invokeCallback):
+        * bindings/js/JSCustomXPathNSResolver.cpp:
+        (WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):
+        * bindings/js/JSDOMBuiltinConstructorBase.cpp:
+        (WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments):
+        * bindings/js/JSDOMConvertSequences.h:
+        (WebCore::JSConverter<IDLSequence<T>>::convert):
+        (WebCore::JSConverter<IDLFrozenArray<T>>::convert):
+        * bindings/js/JSDOMConvertWebGL.cpp:
+        (WebCore::convertToJSValue):
+        * bindings/js/JSDOMIterator.h:
+        (WebCore::jsPair):
+        (WebCore::iteratorForEach):
+        * bindings/js/JSDOMMapLike.cpp:
+        (WebCore::forwardFunctionCallToBackingMap):
+        (WebCore::forwardForEachCallToBackingMap):
+        * bindings/js/JSDOMPromiseDeferred.cpp:
+        (WebCore::DeferredPromise::callFunction):
+        (WebCore::createRejectedPromiseWithTypeError):
+        * bindings/js/JSErrorHandler.cpp:
+        (WebCore::JSErrorHandler::handleEvent):
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::handleEvent):
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction const):
+        * bindings/js/JSPluginElementFunctions.cpp:
+        (WebCore::callPlugin):
+        * bindings/js/JSReadableStreamPrivateConstructors.cpp:
+        (WebCore::constructJSReadableStreamReaderGeneric):
+        * bindings/js/ReadableStream.cpp:
+        (WebCore::ReadableStream::create):
+        (WebCore::ReadableStream::pipeTo):
+        (WebCore::ReadableStream::tee):
+        (WebCore::ReadableStream::lock):
+        (WebCore::checkReadableStream):
+        * bindings/js/ReadableStreamDefaultController.cpp:
+        (WebCore::ReadableStreamDefaultController::invoke):
+        * bindings/js/ScheduledAction.cpp:
+        (WebCore::ScheduledAction::executeFunctionInContext):
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneSerializer::recordObject):
+        (WebCore::CloneSerializer::serialize):
+        (WebCore::CloneDeserializer::readTerminal):
+        (WebCore::CloneDeserializer::deserialize):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateCallbackImplementationContent):
+        * bindings/scripts/test/JS/JSTestCallbackFunction.cpp:
+        (WebCore::JSTestCallbackFunction::handleEvent):
+        * bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp:
+        (WebCore::JSTestCallbackFunctionRethrow::handleEvent):
+        * bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp:
+        (WebCore::JSTestCallbackFunctionWithThisObject::handleEvent):
+        * bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp:
+        (WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent):
+        * bindings/scripts/test/JS/JSTestCallbackInterface.cpp:
+        (WebCore::JSTestCallbackInterface::callbackWithNoParam):
+        (WebCore::JSTestCallbackInterface::callbackWithArrayParam):
+        (WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam):
+        (WebCore::JSTestCallbackInterface::callbackWithStringList):
+        (WebCore::JSTestCallbackInterface::callbackWithBoolean):
+        (WebCore::JSTestCallbackInterface::callbackRequiresThisToPass):
+        (WebCore::JSTestCallbackInterface::callbackWithAReturnValue):
+        (WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions):
+        (WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck):
+        (WebCore::JSTestCallbackInterface::callbackWithThisObject):
+        * bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp:
+        (WebCore::JSTestVoidCallbackFunction::handleEvent):
+        * bridge/NP_jsobject.cpp:
+        * bridge/objc/WebScriptObject.mm:
+        (-[WebScriptObject callWebScriptMethod:withArguments:]):
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::updateCaptionContainer):
+        (WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
+        (WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange):
+        (WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
+        * html/HTMLPlugInImageElement.cpp:
+        (WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):
+        * testing/Internals.cpp:
+        (WebCore::Internals::cloneArrayBuffer):
+
 2017-11-01  Andy Estes  <aestes@apple.com>
 

trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm

@@ -206 +206 @@
     argList.append(toJS<IDLSequence<IDLNullable<IDLDOMString>>>(*exec, *globalObject, m_names));
     argList.append(toJS<IDLSequence<IDLNullable<IDLDOMString>>>(*exec, *globalObject, m_values));
+    ASSERT(!argList.hasOverflowed());
     JSC::JSValue replacement = call(exec, replacementObject, callType, callData, globalObject, argList);
     if (UNLIKELY(scope.exception())) {

trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -128 +128 @@
     InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionConstruct(&document, constructType, constructData);
     MarkedArgumentBuffer args;
+    ASSERT(!args.hasOverflowed());
     JSValue newElement = construct(&state, constructor, constructType, constructData, args);
     InspectorInstrumentation::didCallFunction(cookie, &document);
@@ -199 +200 @@
 
     MarkedArgumentBuffer args;
+    ASSERT(!args.hasOverflowed());
     InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionConstruct(context, constructType, constructData);
     JSValue returnedElement = construct(state, m_constructor.get(), constructType, constructData, args);
@@ -246 +248 @@
     MarkedArgumentBuffer args;
     addArguments(state, globalObject, args);
+    RELEASE_ASSERT(!args.hasOverflowed());
 
     InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionCall(context, callType, callData);

trunk/Source/WebCore/bindings/js/JSCustomXPathNSResolver.cpp

@@ -88 +88 @@
     MarkedArgumentBuffer args;
     args.append(jsStringWithCache(exec, prefix));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> exception;

trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructorBase.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004-2011, 2013, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
  *  Copyright (C) 2013 Michael Pruett <michael@68k.org>
@@ -31 +31 @@
 void JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments(JSC::ExecState& state, JSC::JSObject& thisObject, JSC::JSFunction& function)
 {
+    JSC::VM& vm = state.vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSC::CallData callData;
     JSC::CallType callType = JSC::getCallData(&function, callData);
@@ -38 +40 @@
     for (unsigned i = 0; i < state.argumentCount(); ++i)
         arguments.append(state.uncheckedArgument(i));
+    if (UNLIKELY(arguments.hasOverflowed())) {
+        throwOutOfMemoryError(&state, scope);
+        return;
+    }
     JSC::call(&state, &function, callType, callData, &thisObject, arguments);
 }

trunk/Source/WebCore/bindings/js/JSDOMConvertSequences.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -379 +379 @@
     static JSC::JSValue convert(JSC::ExecState& exec, JSDOMGlobalObject& globalObject, const Vector<U, inlineCapacity>& vector)
     {
+        JSC::VM& vm = exec.vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
         JSC::MarkedArgumentBuffer list;
         for (auto& element : vector)
             list.append(toJS<T>(exec, globalObject, element));
+        if (UNLIKELY(list.hasOverflowed())) {
+            throwOutOfMemoryError(&exec, scope);
+            return { };
+        }
         return JSC::constructArray(&exec, nullptr, &globalObject, list);
     }
@@ -407 +413 @@
     static JSC::JSValue convert(JSC::ExecState& exec, JSDOMGlobalObject& globalObject, const Vector<U, inlineCapacity>& vector)
     {
+        JSC::VM& vm = exec.vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
         JSC::MarkedArgumentBuffer list;
         for (auto& element : vector)
             list.append(toJS<T>(exec, globalObject, element));
+        if (UNLIKELY(list.hasOverflowed())) {
+            throwOutOfMemoryError(&exec, scope);
+            return { };
+        }
         auto* array = JSC::constructArray(&exec, nullptr, &globalObject, list);
         return JSC::objectConstructorFreeze(&exec, array);

trunk/Source/WebCore/bindings/js/JSDOMConvertWebGL.cpp

@@ -92 +92 @@
             for (auto& value : values)
                 list.append(jsBoolean(value));
+            RELEASE_ASSERT(!list.hasOverflowed());
             return constructArray(&state, 0, &globalObject, list);
         },
@@ -98 +99 @@
             for (auto& value : values)
                 list.append(jsNumber(value));
+            RELEASE_ASSERT(!list.hasOverflowed());
             return constructArray(&state, 0, &globalObject, list);
         },

trunk/Source/WebCore/bindings/js/JSDOMIterator.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2016 Canon, Inc. All rights reserved.
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -128 +128 @@
     arguments.append(value1);
     arguments.append(value2);
+    ASSERT(!arguments.hasOverflowed());
     return constructArray(&state, nullptr, &globalObject, arguments);
 }
@@ -215 +216 @@
         appendForEachArguments<JSIterator>(state, *thisObject.globalObject(), arguments, value);
         arguments.append(&thisObject);
+        if (UNLIKELY(arguments.hasOverflowed())) {
+            throwOutOfMemoryError(&state, scope);
+            return { };
+        }
         JSC::call(&state, callback, callType, callData, thisValue, arguments);
         if (UNLIKELY(scope.exception()))

trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp

@@ -74 +74 @@
     for (size_t cptr = 0; cptr < state.argumentCount(); ++cptr)
         arguments.append(state.uncheckedArgument(cptr));
+    ASSERT(!arguments.hasOverflowed());
     return JSC::call(&state, function, callType, callData, &backingMap, arguments);
 }
@@ -90 +91 @@
     for (size_t cptr = 0; cptr < state.argumentCount(); ++cptr)
         arguments.append(state.uncheckedArgument(cptr));
+    ASSERT(!arguments.hasOverflowed());
     return JSC::call(&state, function, callType, callData, &mapLike, arguments);
 }

trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp

@@ -58 +58 @@
     MarkedArgumentBuffer arguments;
     arguments.append(resolution);
+    ASSERT(!arguments.hasOverflowed());
 
     call(&exec, function, callType, callData, jsUndefined(), arguments);
@@ -207 +208 @@
     MarkedArgumentBuffer arguments;
     arguments.append(rejectionValue);
+    ASSERT(!arguments.hasOverflowed());
 
     return JSValue::encode(call(&state, rejectFunction, callType, callData, promiseConstructor, arguments));

trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -91 +91 @@
         args.append(toJS<IDLUnsignedLong>(errorEvent.colno()));
         args.append(errorEvent.error(*exec, *globalObject));
+        ASSERT(!args.hasOverflowed());
 
         VM& vm = globalObject->vm();

trunk/Source/WebCore/bindings/js/JSEventListener.cpp

@@ -139 +139 @@
         MarkedArgumentBuffer args;
         args.append(toJS(exec, globalObject, &event));
+        ASSERT(!args.hasOverflowed());
 
         Event* savedEvent = globalObject->currentEvent();

trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

@@ -113 +113 @@
     args.append(jsNontrivialString(exec, m_eventParameterName));
     args.append(jsStringWithCache(exec, m_code));
+    ASSERT(!args.hasOverflowed());
 
     // We want all errors to refer back to the line on which our attribute was

trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp

@@ -152 +152 @@
     for (size_t i = 0; i < argumentCount; i++)
         argumentList.append(exec->argument(i));
+    ASSERT(!argumentList.hasOverflowed());
 
     CallData callData;

trunk/Source/WebCore/bindings/js/JSReadableStreamPrivateConstructors.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 2015 Canon Inc. All rights reserved.
- *  Copyright (C) 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2016-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -75 +75 @@
     MarkedArgumentBuffer args;
     args.append(exec.argument(0));
+    ASSERT(!args.hasOverflowed());
     return JSValue::encode(JSC::construct(&exec, constructor, constructType, constructData, args));
 }

trunk/Source/WebCore/bindings/js/ReadableStream.cpp

@@ -52 +52 @@
     MarkedArgumentBuffer args;
     args.append(source ? toJSNewlyCreated(&execState, &globalObject, source.releaseNonNull()) : JSC::jsUndefined());
+    ASSERT(!args.hasOverflowed());
 
     auto newReadableStream = jsDynamicDowncast<JSReadableStream*>(vm, JSC::construct(&execState, constructor, constructType, constructData, args));
@@ -84 +85 @@
     arguments.append(readableStream());
     arguments.append(toJS(&state, m_globalObject.get(), sink));
+    ASSERT(!arguments.hasOverflowed());
     ReadableStreamInternal::callFunction(state, readableStreamPipeTo, JSC::jsUndefined(), arguments);
 }
@@ -99 +101 @@
     arguments.append(readableStream());
     arguments.append(JSC::jsBoolean(true));
+    ASSERT(!arguments.hasOverflowed());
     auto returnedValue = ReadableStreamInternal::callFunction(state, readableStreamTee, JSC::jsUndefined(), arguments);
 
@@ -123 +126 @@
     MarkedArgumentBuffer args;
     args.append(readableStream());
+    ASSERT(!args.hasOverflowed());
 
     JSC::construct(&state, constructor, constructType, constructData, args);
@@ -135 +139 @@
     JSC::MarkedArgumentBuffer arguments;
     arguments.append(readableStream);
+    ASSERT(!arguments.hasOverflowed());
     return ReadableStreamInternal::callFunction(state, function, JSC::jsUndefined(), arguments).isTrue();
 }

trunk/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp

@@ -66 +66 @@
     JSC::MarkedArgumentBuffer arguments;
     arguments.append(parameter);
+    ASSERT(!arguments.hasOverflowed());
 
     return callFunction(state, function, &object, arguments);

trunk/Source/WebCore/bindings/js/ScheduledAction.cpp

@@ -2 +2 @@
  *  Copyright (C) 2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2006 Jon Shier (jshier@iastate.edu)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reseved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reseved.
  *  Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  *  Copyright (C) 2009 Google Inc. All rights reseved.
@@ -93 +93 @@
 {
     ASSERT(m_function);
-    JSLockHolder lock(context.vm());
+    VM& vm = context.vm();
+    JSLockHolder lock(vm);
+    auto scope = DECLARE_THROW_SCOPE(vm);
 
     CallData callData;
@@ -105 +107 @@
     for (auto& argument : m_arguments)
         arguments.append(argument.get());
+    if (UNLIKELY(arguments.hasOverflowed())) {
+        throwOutOfMemoryError(exec, scope);
+        NakedPtr<JSC::Exception> exception = scope.exception();
+        reportException(exec, exception);
+        return;
+    }
 
     InspectorInstrumentationCookie cookie = JSMainThreadExecState::instrumentFunctionCall(&context, callType, callData);

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -667 +667 @@
     {
         m_objectPool.add(object, m_objectPool.size());
-        m_gcBuffer.append(object);
+        m_gcBuffer.appendWithCrashOnOverflow(object);
     }
 
@@ -1590 +1590 @@
                     break;
                 JSMapIterator* iterator = JSMapIterator::create(vm, vm.mapIteratorStructure.get(), inMap, IterateKeyValue);
-                m_gcBuffer.append(inMap);
-                m_gcBuffer.append(iterator);
+                m_gcBuffer.appendWithCrashOnOverflow(inMap);
+                m_gcBuffer.appendWithCrashOnOverflow(iterator);
                 mapIteratorStack.append(iterator);
                 inputObjectStack.append(inMap);
@@ -1611 +1611 @@
                 }
                 inValue = key;
-                m_gcBuffer.append(value);
+                m_gcBuffer.appendWithCrashOnOverflow(value);
                 mapIteratorValueStack.append(value);
                 stateStack.append(MapDataEndVisitKey);
@@ -1634 +1634 @@
                     break;
                 JSSetIterator* iterator = JSSetIterator::create(vm, vm.setIteratorStructure.get(), inSet, IterateKey);
-                m_gcBuffer.append(inSet);
-                m_gcBuffer.append(iterator);
+                m_gcBuffer.appendWithCrashOnOverflow(inSet);
+                m_gcBuffer.appendWithCrashOnOverflow(iterator);
                 setIteratorStack.append(iterator);
                 inputObjectStack.append(inSet);
@@ -2652 +2652 @@
             BooleanObject* obj = BooleanObject::create(m_exec->vm(), m_globalObject->booleanObjectStructure());
             obj->setInternalValue(m_exec->vm(), jsBoolean(false));
-            m_gcBuffer.append(obj);
+            m_gcBuffer.appendWithCrashOnOverflow(obj);
             return obj;
         }
@@ -2658 +2658 @@
             BooleanObject* obj = BooleanObject::create(m_exec->vm(), m_globalObject->booleanObjectStructure());
             obj->setInternalValue(m_exec->vm(), jsBoolean(true));
-             m_gcBuffer.append(obj);
+            m_gcBuffer.appendWithCrashOnOverflow(obj);
             return obj;
         }
@@ -2672 +2672 @@
                 return JSValue();
             NumberObject* obj = constructNumber(m_exec, m_globalObject, jsNumber(d));
-            m_gcBuffer.append(obj);
+            m_gcBuffer.appendWithCrashOnOverflow(obj);
             return obj;
         }
@@ -2764 +2764 @@
                 return JSValue();
             StringObject* obj = constructString(m_exec->vm(), m_globalObject, cachedString->jsString(m_exec));
-            m_gcBuffer.append(obj);
+            m_gcBuffer.appendWithCrashOnOverflow(obj);
             return obj;
         }
@@ -2770 +2770 @@
             VM& vm = m_exec->vm();
             StringObject* obj = constructString(vm, m_globalObject, jsEmptyString(&vm));
-            m_gcBuffer.append(obj);
+            m_gcBuffer.appendWithCrashOnOverflow(obj);
             return obj;
         }
@@ -2817 +2817 @@
             // not trow.
             scope.releaseAssertNoException();
-            m_gcBuffer.append(result);
+            m_gcBuffer.appendWithCrashOnOverflow(result);
             return result;
         }
@@ -2835 +2835 @@
             }
             JSValue result = JSArrayBuffer::create(m_exec->vm(), structure, WTFMove(arrayBuffer));
-            m_gcBuffer.append(result);
+            m_gcBuffer.appendWithCrashOnOverflow(result);
             return result;
         }
@@ -2862 +2862 @@
             RefPtr<ArrayBuffer> buffer = ArrayBuffer::create(WTFMove(m_sharedBuffers->at(index)));
             JSValue result = getJSValue(buffer.get());
-            m_gcBuffer.append(result);
+            m_gcBuffer.appendWithCrashOnOverflow(result);
             return result;
         }
@@ -2871 +2871 @@
                 return JSValue();
             }
-            m_gcBuffer.append(arrayBufferView);
+            m_gcBuffer.appendWithCrashOnOverflow(arrayBufferView);
             return arrayBufferView;
         }
@@ -2897 +2897 @@
                 return JSValue();
             }
-            m_gcBuffer.append(cryptoKey);
+            m_gcBuffer.appendWithCrashOnOverflow(cryptoKey);
             return cryptoKey;
         }
@@ -2985 +2985 @@
             if (UNLIKELY(scope.exception()))
                 goto error;
-            m_gcBuffer.append(outArray);
+            m_gcBuffer.appendWithCrashOnOverflow(outArray);
             outputObjectStack.append(outArray);
         }
@@ -3026 +3026 @@
                 return std::make_pair(JSValue(), SerializationReturnCode::StackOverflowError);
             JSObject* outObject = constructEmptyObject(m_exec, m_globalObject->objectPrototype());
-            m_gcBuffer.append(outObject);
+            m_gcBuffer.appendWithCrashOnOverflow(outObject);
             outputObjectStack.append(outObject);
         }
@@ -3063 +3063 @@
             if (UNLIKELY(scope.exception()))
                 goto error;
-            m_gcBuffer.append(map);
+            m_gcBuffer.appendWithCrashOnOverflow(map);
             outputObjectStack.append(map);
             mapStack.append(map);
@@ -3094 +3094 @@
             if (UNLIKELY(scope.exception()))
                 goto error;
-            m_gcBuffer.append(set);
+            m_gcBuffer.appendWithCrashOnOverflow(set);
             outputObjectStack.append(set);
             setStack.append(set);

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -6041 +6041 @@
                 push(@$contentRef, "    args.append(" . NativeToJSValueUsingReferences($argument, $interfaceOrCallback, $argument->name, "globalObject") . ");\n");
             }
+            push(@$contentRef, "    ASSERT(!args.hasOverflowed());\n");
 
             push(@$contentRef, "\n    NakedPtr<JSC::Exception> returnedException;\n");

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp

@@ -66 +66 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLLong>(argument));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp

@@ -69 +69 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLSequence<IDLLong>>(state, globalObject, argument));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp

@@ -69 +69 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLSequence<IDLInterface<TestNode>>>(state, globalObject, parameter));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp

@@ -70 +70 @@
     args.append(toJS<IDLSequence<IDLNullable<IDLLong>>>(state, globalObject, sequenceArg));
     args.append(toJS<IDLLong>(longArg));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackInterface.cpp

@@ -175 +175 @@
     JSValue thisValue = jsUndefined();
     MarkedArgumentBuffer args;
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -201 +202 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLFloat32Array>(state, globalObject, arrayParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -228 +230 @@
     args.append(toJS<IDLSerializedScriptValue<SerializedScriptValue>>(state, globalObject, srzParam));
     args.append(toJS<IDLDOMString>(state, strParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -254 +257 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLInterface<DOMStringList>>(state, globalObject, listParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -280 +284 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLBoolean>(boolParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -307 +312 @@
     args.append(toJS<IDLLong>(longParam));
     args.append(toJS<IDLInterface<TestNode>>(state, globalObject, testNodeParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -332 +338 @@
     JSValue thisValue = jsUndefined();
     MarkedArgumentBuffer args;
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -361 +368 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLEnumeration<TestCallbackInterface::Enum>>(state, enumParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -388 +396 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLDictionary<TestCallbackInterface::Dictionary>>(state, globalObject, dictionaryParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;
@@ -417 +426 @@
     MarkedArgumentBuffer args;
     args.append(toJS<IDLInterface<TestObj>>(state, globalObject, testObjParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp

@@ -81 +81 @@
     args.append(toJS<IDLLong>(longParam));
     args.append(toJS<IDLInterface<TestNode>>(state, globalObject, testNodeParam));
+    ASSERT(!args.hasOverflowed());
 
     NakedPtr<JSC::Exception> returnedException;

trunk/Source/WebCore/bridge/NP_jsobject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2004, 2006 Apple Inc.  All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -196 +196 @@
         MarkedArgumentBuffer argList;
         getListFromVariantArgs(exec, args, argCount, rootObject, argList);
+        RELEASE_ASSERT(!argList.hasOverflowed());
         JSValue resultV = JSC::call(exec, function, callType, callData, function, argList);
 
@@ -248 +249 @@
         MarkedArgumentBuffer argList;
         getListFromVariantArgs(exec, args, argCount, rootObject, argList);
+        RELEASE_ASSERT(!argList.hasOverflowed());
         JSValue resultV = JSC::call(exec, function, callType, callData, obj->imp, argList);
 
@@ -537 +539 @@
         MarkedArgumentBuffer argList;
         getListFromVariantArgs(exec, args, argCount, rootObject, argList);
+        RELEASE_ASSERT(!argList.hasOverflowed());
         JSValue resultV = JSC::construct(exec, constructor, constructType, constructData, argList);
         

trunk/Source/WebCore/bridge/objc/WebScriptObject.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2008, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -352 +352 @@
 
     MarkedArgumentBuffer argList;
+    ASSERT(!argList.hasOverflowed());
     getListFromNSArray(exec, args, [self _rootObject], argList);
 

trunk/Source/WebCore/html/HTMLMediaElement.cpp

@@ -4278 +4278 @@
 
     JSC::MarkedArgumentBuffer noArguments;
+    ASSERT(!noArguments.hasOverflowed());
     JSC::call(exec, methodObject, callType, callData, controllerObject, noArguments);
     scope.clearException();
@@ -7073 +7074 @@
     argList.append(mediaJSWrapper);
     argList.append(mediaControlsHostJSWrapper);
+    ASSERT(!argList.hasOverflowed());
 
     JSC::JSObject* function = functionValue.toObject(exec);
@@ -7166 +7168 @@
 
     JSC::MarkedArgumentBuffer argList;
+    ASSERT(!argList.hasOverflowed());
     JSC::call(exec, function, callType, callData, controllerObject, argList);
 }
@@ -7205 +7208 @@
     JSC::CallType callType = function->methodTable(vm)->getCallData(function, callData);
     JSC::MarkedArgumentBuffer argList;
+    ASSERT(!argList.hasOverflowed());
     if (callType == JSC::CallType::None)
         return emptyString();

trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

@@ -378 +378 @@
     // If no snapshot was found then we want the overlay to be visible.
     argList.append(toJS<IDLBoolean>(!m_snapshotImage));
+    ASSERT(!argList.hasOverflowed());
 
     // It is expected the JS file provides a createOverlay(shadowRoot, title, subtitle) function.

trunk/Source/WebCore/testing/Internals.cpp

@@ -3848 +3848 @@
     arguments.append(srcByteOffset);
     arguments.append(srcLength);
+    ASSERT(!arguments.hasOverflowed());
 
     return JSC::call(&state, function, callType, callData, JSC::jsUndefined(), arguments);