Calculating postCapacity in unshiftCountSlowCase is wrong
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Jun 2017 00:58:18 +0000 (00:58 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Jun 2017 00:58:18 +0000 (00:58 +0000)
commit4c6ebda47babb6b7fc9ed79ab09c2528d0b40a5f
tree8f3f003f839c220e6dba830760fd9322baaad0f8
parenteea94fd43530e6af1ec28a746031bed84e331402
Calculating postCapacity in unshiftCountSlowCase is wrong
https://bugs.webkit.org/show_bug.cgi?id=173992
<rdar://problem/32283199>

Reviewed by Keith Miller.

JSTests:

* stress/unshiftCountSlowCase-correct-postCapacity.js: Added.
(temp):

Source/JavaScriptCore:

This patch fixes a bug inside unshiftCountSlowCase where we would use
more memory than we allocated. The bug was when deciding how much extra
space we have after the vector we've allocated. This area is called the
postCapacity. The largest legal postCapacity value we could use is the
space we allocated minus the space we need:
largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
However, the code was calculating the postCapacity as:
postCapacity = max(newStorageCapacity - requiredVectorLength, count);

where count is how many elements we're appending. Depending on the inputs,
count could be larger than (newStorageCapacity - requiredVectorLength). This
would cause us to use more memory than we actually allocated.

* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218977 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/unshiftCountSlowCase-correct-postCapacity.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp