Changeset 272938 in webkit
- Timestamp:
- Feb 16, 2021 4:33:42 PM (3 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r272936 r272938 1 2021-02-16 Saam Barati <sbarati@apple.com> 2 3 operationNewArrayWithSize should call tryCreate instead of create 4 https://bugs.webkit.org/show_bug.cgi?id=221983 5 <rdar://74265630> 6 7 Reviewed by Mark Lam. 8 9 I disassembled crashlogs inside operationNewArrayWithSize. They are crashing 10 inside array allocation. They are crashing on OOM. By code inspection, 11 operationNewArrayWithSizeAndHint has the same problem. 12 13 Callsites to both functions already handle exceptions being thrown, so 14 converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint 15 to throw instead of crash on OOM is trivial. 16 17 I wasn't able to come up with a test case for this. 18 19 * dfg/DFGOperations.cpp: 20 (JSC::DFG::JSC_DEFINE_JIT_OPERATION): 21 * runtime/ObjectConstructor.cpp: 22 (JSC::ownPropertyKeys): 23 1 24 2021-02-16 Chris Dumez <cdumez@apple.com> 2 25 -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r272170 r272938 1754 1754 auto scope = DECLARE_THROW_SCOPE(vm); 1755 1755 1756 if (UNLIKELY(size < 0)) 1757 return bitwise_cast<char*>(throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s))); 1756 if (UNLIKELY(size < 0)) { 1757 throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s)); 1758 return nullptr; 1759 } 1758 1760 1759 1761 JSArray* result; 1760 1762 if (butterfly) 1761 1763 result = JSArray::createWithButterfly(vm, nullptr, arrayStructure, butterfly); 1762 else 1763 result = JSArray::create(vm, arrayStructure, size); 1764 else { 1765 result = JSArray::tryCreate(vm, arrayStructure, size); 1766 if (UNLIKELY(!result)) { 1767 throwOutOfMemoryError(globalObject, scope); 1768 return nullptr; 1769 } 1770 } 1764 1771 return bitwise_cast<char*>(result); 1765 1772 } … … 1772 1779 auto scope = DECLARE_THROW_SCOPE(vm); 1773 1780 1774 if (UNLIKELY(size < 0)) 1775 return bitwise_cast<char*>(throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s))); 1781 if (UNLIKELY(size < 0)) { 1782 throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s)); 1783 return nullptr; 1784 } 1776 1785 1777 1786 JSArray* result; … … 1780 1789 else { 1781 1790 result = JSArray::tryCreate(vm, arrayStructure, size, vectorLengthHint); 1782 RELEASE_ASSERT(result); 1791 if (UNLIKELY(!result)) { 1792 throwOutOfMemoryError(globalObject, scope); 1793 return nullptr; 1794 } 1783 1795 } 1784 1796 return bitwise_cast<char*>(result); -
trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
r272838 r272938 964 964 965 965 size_t numProperties = properties.size(); 966 // FIXME: We should probably be calling tryCreate here: 967 // https://bugs.webkit.org/show_bug.cgi?id=221984 966 968 JSArray* keys = JSArray::create(vm, globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous), numProperties); 967 969 WriteBarrier<Unknown>* buffer = keys->butterfly()->contiguous().data();
Note: See TracChangeset
for help on using the changeset viewer.