Follow up fix for r243807: Use MarkedArgumentBuffer instead of Vector for JSValue
authorsihui_liu@apple.com <sihui_liu@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 20:37:22 +0000 (20:37 +0000)
committersihui_liu@apple.com <sihui_liu@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 20:37:22 +0000 (20:37 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196547

Reviewed by Geoffrey Garen.

JSValue in Vector could be garbage collected because GC doesn't know Vector memory on C++ heap.

* bindings/js/JSIDBRequestCustom.cpp:
(WebCore::JSIDBRequest::result const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243824 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSIDBRequestCustom.cpp

index 92bfafb..d2b5d1c 100644 (file)
@@ -1,3 +1,15 @@
+2019-04-03  Sihui Liu  <sihui_liu@apple.com>
+
+        Follow up fix for r243807: Use MarkedArgumentBuffer instead of Vector for JSValue
+        https://bugs.webkit.org/show_bug.cgi?id=196547
+
+        Reviewed by Geoffrey Garen.
+
+        JSValue in Vector could be garbage collected because GC doesn't know Vector memory on C++ heap.
+
+        * bindings/js/JSIDBRequestCustom.cpp:
+        (WebCore::JSIDBRequest::result const):
+
 2019-04-03  Chris Dumez  <cdumez@apple.com>
 
         HTML fragment serialization should not strip whitespace from URL attribute values
index 068b1de..51902e2 100644 (file)
@@ -64,14 +64,19 @@ JSC::JSValue JSIDBRequest::result(JSC::ExecState& state) const
             auto& keys = getAllResult.keys();
             auto& values = getAllResult.values();
             auto& keyPath = getAllResult.keyPath();
-            Vector<JSC::JSValue> results;
+            auto scope = DECLARE_THROW_SCOPE(state.vm());
+            JSC::MarkedArgumentBuffer list;
             for (unsigned i = 0; i < values.size(); i ++) {
                 auto result = deserializeIDBValueWithKeyInjection(state, values[i], keys[i], keyPath);
                 if (!result)
                     return jsNull();
-                results.append(result.value());
+                list.append(result.value());
+                if (UNLIKELY(list.hasOverflowed())) {
+                    propagateException(state, scope, Exception(UnknownError));
+                    return jsNull();
+                }
             }
-            return JSValue(JSC::constructArray(&state, nullptr, state.lexicalGlobalObject(), results.data(), results.size()));
+            return JSValue(JSC::constructArray(&state, nullptr, state.lexicalGlobalObject(), list));
         }, [] (uint64_t number) {
             return toJS<IDLUnsignedLongLong>(number);
         }, [] (IDBRequest::NullResultType other) {