https://bugs.webkit.org/show_bug.cgi?id=169783
Reviewed by Saam Barati.
JSTests:
* stress/regress-169783.js: Added.
Source/JavaScriptCore:
Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
succeeds.
* dfg/DFGOperations.cpp:
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateForInitializationPrivate):
(JSC::JSArray::fastSlice):
* runtime/JSArray.h:
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):
* runtime/RegExpMatchesArray.cpp:
(JSC::createEmptyRegExpMatchesArray):
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@214313
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-03-23 Mark Lam <mark.lam@apple.com>
+
+ Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
+ https://bugs.webkit.org/show_bug.cgi?id=169783
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-169783.js: Added.
+
2017-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC][DFG] Propagate AnyIntAsDouble information carefully to utilize it in fixup
--- /dev/null
+//@ if $buildType == "debug" then runFTLNoCJIT("--maxSingleAllocationSize=10000000") else skip end
+
+function test(a) {
+ var x = [1337, ...a, ...a, ...a, ...a, ...a];
+}
+noInline(test);
+
+function doTest(a, shouldThrow) {
+ var exception;
+ try {
+ test(a);
+ } catch (e) {
+ exception = e;
+ }
+ if (shouldThrow && exception != "Error: Out of memory")
+ throw("FAILED");
+}
+
+var a = new Array(0x40000);
+doTest(a, true);
+2017-03-23 Mark Lam <mark.lam@apple.com>
+
+ Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
+ https://bugs.webkit.org/show_bug.cgi?id=169783
+
+ Reviewed by Saam Barati.
+
+ Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
+ an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
+ succeeds.
+
+ * dfg/DFGOperations.cpp:
+ * ftl/FTLOperations.cpp:
+ (JSC::FTL::operationMaterializeObjectInOSR):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSplice):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::tryCreateForInitializationPrivate):
+ (JSC::JSArray::fastSlice):
+ * runtime/JSArray.h:
+ (JSC::constructArray):
+ (JSC::constructArrayNegativeIndexed):
+ * runtime/RegExpMatchesArray.cpp:
+ (JSC::createEmptyRegExpMatchesArray):
+ * runtime/RegExpMatchesArray.h:
+ (JSC::createRegExpMatchesArray):
+
2017-03-23 Guillaume Emont <guijemont@igalia.com>
[jsc] Add MacroAssemblerMIPS::storeFence()
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, length);
+ if (UNLIKELY(!result)) {
+ throwOutOfMemoryError(exec, scope);
+ return nullptr;
+ }
RETURN_IF_EXCEPTION(scope, nullptr);
unsigned index = 0;
Structure* structure = globalObject->restParameterStructure();
ASSERT(argumentCount > 0);
unsigned arraySize = (argumentCount - 1) > numberOfArgumentsToSkip ? argumentCount - 1 - numberOfArgumentsToSkip : 0;
+
+ // FIXME: we should throw an out of memory error here if tryCreateForInitializationPrivate() fails.
+ // https://bugs.webkit.org/show_bug.cgi?id=169784
JSArray* array = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
RELEASE_ASSERT(array);
}
}
+ // FIXME: we should throw an out of memory error here if checkedArraySize has hasOverflowed() or tryCreateForInitializationPrivate() fails.
+ // https://bugs.webkit.org/show_bug.cgi?id=169784
unsigned arraySize = checkedArraySize.unsafeGet(); // Crashes if overflowed.
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
RELEASE_ASSERT(result);
}
} else {
result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
- if (!result)
- return JSValue::encode(throwOutOfMemoryError(exec, scope));
+ if (UNLIKELY(!result)) {
+ throwOutOfMemoryError(exec, scope);
+ return encodedJSValue();
+ }
for (unsigned k = 0; k < actualDeleteCount; ++k) {
JSValue v = getProperty(exec, thisObj, k + actualStart);
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
+ if (UNLIKELY(!result))
+ THROW(createOutOfMemoryError(exec));
CHECK_EXCEPTION();
unsigned index = 0;
JSArray* JSArray::tryCreateForInitializationPrivate(VM& vm, GCDeferralContext* deferralContext, Structure* structure, unsigned initialLength)
{
- if (initialLength > MAX_STORAGE_VECTOR_LENGTH)
+ if (UNLIKELY(initialLength > MAX_STORAGE_VECTOR_LENGTH))
return 0;
unsigned outOfLineStorage = structure->outOfLineCapacity();
unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
void* temp = vm.auxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
- if (!temp)
+ if (UNLIKELY(!temp))
return nullptr;
butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
butterfly->setVectorLength(vectorLength);
} else {
unsigned vectorLength = ArrayStorage::optimalVectorLength(0, structure, initialLength);
void* temp = vm.auxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)));
- if (!temp)
+ if (UNLIKELY(!temp))
return nullptr;
butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
*butterfly->indexingHeader() = indexingHeaderForArrayStorage(initialLength, vectorLength);
Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
- if (!resultArray)
+ if (UNLIKELY(!resultArray))
return nullptr;
auto& resultButterfly = *resultArray->butterfly();
// FIXME: we should probably throw an out of memory error here, but
// when making this change we should check that all clients of this
// function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
RELEASE_ASSERT(array);
for (unsigned i = 0; i < length; ++i)
// FIXME: we should probably throw an out of memory error here, but
// when making this change we should check that all clients of this
// function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
RELEASE_ASSERT(array);
for (unsigned i = 0; i < length; ++i)
// FIXME: we should probably throw an out of memory error here, but
// when making this change we should check that all clients of this
// function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
RELEASE_ASSERT(array);
for (int i = 0; i < static_cast<int>(length); ++i)
if (UNLIKELY(globalObject->isHavingABadTime())) {
array = JSArray::tryCreateForInitializationPrivate(vm, &deferralContext, globalObject->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
-
+ // FIXME: we should probably throw an out of memory error here, but
+ // when making this change we should check that all clients of this
+ // function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
+ RELEASE_ASSERT(array);
+
array->initializeIndexWithoutBarrier(0, jsEmptyString(&vm));
if (unsigned numSubpatterns = regExp->numSubpatterns()) {
if (UNLIKELY(globalObject->isHavingABadTime())) {
array = JSArray::tryCreateForInitializationPrivate(vm, &deferralContext, globalObject->regExpMatchesArrayStructure(), numSubpatterns + 1);
-
+ // FIXME: we should probably throw an out of memory error here, but
+ // when making this change we should check that all clients of this
+ // function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
+ RELEASE_ASSERT(array);
+
setProperties();
array->initializeIndexWithoutBarrier(0, jsSubstringOfResolved(vm, &deferralContext, input, result.start, result.end - result.start));
git://git.webkit.org / WebKit-https.git / commitdiff