Changeset 272938 in webkit


Ignore:
Timestamp:
Feb 16, 2021 4:33:42 PM (3 years ago)
Author:
sbarati@apple.com
Message:

operationNewArrayWithSize should call tryCreate instead of create
https://bugs.webkit.org/show_bug.cgi?id=221983
<rdar://74265630>

Reviewed by Mark Lam.

I disassembled crashlogs inside operationNewArrayWithSize. They are crashing
inside array allocation. They are crashing on OOM. By code inspection,
operationNewArrayWithSizeAndHint has the same problem.

Callsites to both functions already handle exceptions being thrown, so
converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint
to throw instead of crash on OOM is trivial.

I wasn't able to come up with a test case for this.

  • dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

  • runtime/ObjectConstructor.cpp:

(JSC::ownPropertyKeys):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r272936 r272938  
     12021-02-16  Saam Barati  <sbarati@apple.com>
     2
     3        operationNewArrayWithSize should call tryCreate instead of create
     4        https://bugs.webkit.org/show_bug.cgi?id=221983
     5        <rdar://74265630>
     6
     7        Reviewed by Mark Lam.
     8
     9        I disassembled crashlogs inside operationNewArrayWithSize. They are crashing
     10        inside array allocation. They are crashing on OOM. By code inspection,
     11        operationNewArrayWithSizeAndHint has the same problem.
     12       
     13        Callsites to both functions already handle exceptions being thrown, so
     14        converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint
     15        to throw instead of crash on OOM is trivial.
     16       
     17        I wasn't able to come up with a test case for this.
     18
     19        * dfg/DFGOperations.cpp:
     20        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
     21        * runtime/ObjectConstructor.cpp:
     22        (JSC::ownPropertyKeys):
     23
    1242021-02-16  Chris Dumez  <cdumez@apple.com>
    225
  • trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

    r272170 r272938  
    17541754    auto scope = DECLARE_THROW_SCOPE(vm);
    17551755
    1756     if (UNLIKELY(size < 0))
    1757         return bitwise_cast<char*>(throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s)));
     1756    if (UNLIKELY(size < 0)) {
     1757        throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s));
     1758        return nullptr;
     1759    }
    17581760
    17591761    JSArray* result;
    17601762    if (butterfly)
    17611763        result = JSArray::createWithButterfly(vm, nullptr, arrayStructure, butterfly);
    1762     else
    1763         result = JSArray::create(vm, arrayStructure, size);
     1764    else {
     1765        result = JSArray::tryCreate(vm, arrayStructure, size);
     1766        if (UNLIKELY(!result)) {
     1767            throwOutOfMemoryError(globalObject, scope);
     1768            return nullptr;
     1769        }
     1770    }
    17641771    return bitwise_cast<char*>(result);
    17651772}
     
    17721779    auto scope = DECLARE_THROW_SCOPE(vm);
    17731780
    1774     if (UNLIKELY(size < 0))
    1775         return bitwise_cast<char*>(throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s)));
     1781    if (UNLIKELY(size < 0)) {
     1782        throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s));
     1783        return nullptr;
     1784    }
    17761785
    17771786    JSArray* result;
     
    17801789    else {
    17811790        result = JSArray::tryCreate(vm, arrayStructure, size, vectorLengthHint);
    1782         RELEASE_ASSERT(result);
     1791        if (UNLIKELY(!result)) {
     1792            throwOutOfMemoryError(globalObject, scope);
     1793            return nullptr;
     1794        }
    17831795    }
    17841796    return bitwise_cast<char*>(result);
  • trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

    r272838 r272938  
    964964
    965965                size_t numProperties = properties.size();
     966                // FIXME: We should probably be calling tryCreate here:
     967                // https://bugs.webkit.org/show_bug.cgi?id=221984
    966968                JSArray* keys = JSArray::create(vm, globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous), numProperties);
    967969                WriteBarrier<Unknown>* buffer = keys->butterfly()->contiguous().data();
Note: See TracChangeset for help on using the changeset viewer.