Add bounds checking for WTF::Vector::operator[]
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 Apr 2013 04:14:50 +0000 (04:14 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 Apr 2013 04:14:50 +0000 (04:14 +0000)
https://bugs.webkit.org/show_bug.cgi?id=89600

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Make a few JSC classes opt-out of release mode bounds checking.

* assembler/AssemblerBuffer.h:
(AssemblerBuffer):
* assembler/AssemblerBufferWithConstantPool.h:
(AssemblerBufferWithConstantPool):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::bytecodeOffset):
(JSC):
(JSC::replaceExistingEntries):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
(JSC::CodeBlock::callReturnIndexVector):
(JSC::CodeBlock::codeOrigins):
(RareData):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedEvalCodeBlock::adoptVariables):
(UnlinkedEvalCodeBlock):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitNewArray):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
* bytecompiler/BytecodeGenerator.h:
(CallArguments):
(JSC::BytecodeGenerator::instructions):
(BytecodeGenerator):
* bytecompiler/StaticPropertyAnalysis.h:
(JSC::StaticPropertyAnalysis::create):
(JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
(StaticPropertyAnalysis):
* bytecompiler/StaticPropertyAnalyzer.h:
(StaticPropertyAnalyzer):
(JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* parser/ASTBuilder.h:
(ASTBuilder):
* runtime/ArgList.h:
(MarkedArgumentBuffer):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSort):

Source/WebCore:

Fix exports

* WebCore.exp.in:

Source/WTF:

Add a template parameter to Vector<> that controls whether
bounds checking is performed in release builds or not.
Defaults to crashing on overflow.

* wtf/Forward.h:
(WTF):
* wtf/Vector.h:
(WTF):
(Vector):
(WTF::Vector::at):
(WTF::Vector::removeLast):
(WTF::::Vector):
(WTF::=):
(WTF::::contains):
(WTF::::find):
(WTF::::reverseFind):
(WTF::::fill):
(WTF::::appendRange):
(WTF::::expandCapacity):
(WTF::::tryExpandCapacity):
(WTF::::resize):
(WTF::::shrink):
(WTF::::grow):
(WTF::::reserveCapacity):
(WTF::::tryReserveCapacity):
(WTF::::reserveInitialCapacity):
(WTF::::shrinkCapacity):
(WTF::::append):
(WTF::::tryAppend):
(WTF::::appendSlowCase):
(WTF::::uncheckedAppend):
(WTF::::appendVector):
(WTF::::insert):
(WTF::::prepend):
(WTF::::remove):
(WTF::::reverse):
(WTF::::releaseBuffer):
(WTF::::checkConsistency):
(WTF::deleteAllValues):
(WTF::swap):
(WTF::operator==):
(WTF::operator!=):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@147892 268f45cc-cd09-0410-ab3c-d52691b4dbfc

32 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/ARMv7Assembler.h
Source/JavaScriptCore/assembler/AssemblerBuffer.h
Source/JavaScriptCore/assembler/LinkBuffer.cpp
Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
Source/JavaScriptCore/bytecompiler/StaticPropertyAnalysis.h
Source/JavaScriptCore/bytecompiler/StaticPropertyAnalyzer.h
Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
Source/JavaScriptCore/heap/Heap.cpp
Source/JavaScriptCore/heap/Heap.h
Source/JavaScriptCore/parser/ASTBuilder.h
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSONObject.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSString.cpp
Source/JavaScriptCore/runtime/JSStringBuilder.h
Source/JavaScriptCore/runtime/LiteralParser.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/CheckedArithmetic.h
Source/WTF/wtf/Forward.h
Source/WTF/wtf/MemoryInstrumentation.h
Source/WTF/wtf/Vector.h
Source/WTF/wtf/text/StringImpl.h
Source/WTF/wtf/text/WTFString.h
Source/WebCore/ChangeLog
Source/WebCore/WebCore.exp.in

index 8aee092..aa091b2 100644 (file)
@@ -1,3 +1,54 @@
+2013-04-07  Oliver Hunt  <oliver@apple.com>
+
+        Add bounds checking for WTF::Vector::operator[]
+        https://bugs.webkit.org/show_bug.cgi?id=89600
+
+        Reviewed by Filip Pizlo.
+
+        Make a few JSC classes opt-out of release mode bounds checking.
+
+        * assembler/AssemblerBuffer.h:
+        (AssemblerBuffer):
+        * assembler/AssemblerBufferWithConstantPool.h:
+        (AssemblerBufferWithConstantPool):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::bytecodeOffset):
+        (JSC):
+        (JSC::replaceExistingEntries):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
+        (JSC::CodeBlock::callReturnIndexVector):
+        (JSC::CodeBlock::codeOrigins):
+        (RareData):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedEvalCodeBlock::adoptVariables):
+        (UnlinkedEvalCodeBlock):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitNewArray):
+        (JSC::BytecodeGenerator::emitCall):
+        (JSC::BytecodeGenerator::emitConstruct):
+        * bytecompiler/BytecodeGenerator.h:
+        (CallArguments):
+        (JSC::BytecodeGenerator::instructions):
+        (BytecodeGenerator):
+        * bytecompiler/StaticPropertyAnalysis.h:
+        (JSC::StaticPropertyAnalysis::create):
+        (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
+        (StaticPropertyAnalysis):
+        * bytecompiler/StaticPropertyAnalyzer.h:
+        (StaticPropertyAnalyzer):
+        (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * parser/ASTBuilder.h:
+        (ASTBuilder):
+        * runtime/ArgList.h:
+        (MarkedArgumentBuffer):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSort):
+
 2013-04-07  Benjamin Poulain  <benjamin@webkit.org>
 
         Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime
index fa00b49..fd0c2fd 100644 (file)
@@ -2035,7 +2035,7 @@ public:
             offsets[ptr++] = offset;
     }
     
-    Vector<LinkRecord>& jumpsToLink()
+    Vector<LinkRecord, 0, UnsafeVectorOverflow>& jumpsToLink()
     {
         std::sort(m_jumpsToLink.begin(), m_jumpsToLink.end(), linkRecordSourceComparator);
         return m_jumpsToLink;
index 6bc1b39..54080bd 100644 (file)
@@ -168,7 +168,7 @@ namespace JSC {
         }
 
     private:
-        Vector<char, inlineCapacity> m_storage;
+        Vector<char, inlineCapacity, UnsafeVectorOverflow> m_storage;
         char* m_buffer;
         int m_capacity;
         int m_index;
index c269157..645eba5 100644 (file)
@@ -80,7 +80,7 @@ void LinkBuffer::linkCode(void* ownerUID, JITCompilationEffort effort)
     uint8_t* outData = reinterpret_cast<uint8_t*>(m_code);
     int readPtr = 0;
     int writePtr = 0;
-    Vector<LinkRecord>& jumpsToLink = m_assembler->jumpsToLink();
+    Vector<LinkRecord, 0, UnsafeVectorOverflow>& jumpsToLink = m_assembler->jumpsToLink();
     unsigned jumpCount = jumpsToLink.size();
     for (unsigned i = 0; i < jumpCount; ++i) {
         int offset = readPtr - writePtr;
index 62c46c1..81c1d7e 100644 (file)
@@ -59,7 +59,7 @@ public:
         return value >= -255 && value <= 255;
     }
 
-    Vector<LinkRecord>& jumpsToLink() { return m_assembler.jumpsToLink(); }
+    Vector<LinkRecord, 0, UnsafeVectorOverflow>& jumpsToLink() { return m_assembler.jumpsToLink(); }
     void* unlinkedCode() { return m_assembler.unlinkedCode(); }
     bool canCompact(JumpType jumpType) { return m_assembler.canCompact(jumpType); }
     JumpLinkType computeJumpType(JumpType jumpType, const uint8_t* from, const uint8_t* to) { return m_assembler.computeJumpType(jumpType, from, to); }
index 8e041e2..26ea298 100644 (file)
@@ -1788,7 +1788,7 @@ CodeBlock::CodeBlock(ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlin
     // Copy and translate the UnlinkedInstructions
     size_t instructionCount = unlinkedCodeBlock->instructions().size();
     UnlinkedInstruction* pc = unlinkedCodeBlock->instructions().data();
-    Vector<Instruction> instructions(instructionCount);
+    Vector<Instruction, 0, UnsafeVectorOverflow> instructions(instructionCount);
     for (size_t i = 0; i < unlinkedCodeBlock->instructions().size(); ) {
         unsigned opLength = opcodeLength(pc[i].u.opcode);
         instructions[i] = globalData()->interpreter->getOpcode(pc[i].u.opcode);
@@ -2716,7 +2716,7 @@ unsigned CodeBlock::bytecodeOffset(ExecState* exec, ReturnAddressPtr returnAddre
 #if ENABLE(JIT)
     if (!m_rareData)
         return 1;
-    Vector<CallReturnOffsetToBytecodeOffset>& callIndices = m_rareData->m_callReturnIndexVector;
+    Vector<CallReturnOffsetToBytecodeOffset, 0, UnsafeVectorOverflow>& callIndices = m_rareData->m_callReturnIndexVector;
     if (!callIndices.size())
         return 1;
     
@@ -2780,8 +2780,8 @@ void CodeBlock::clearEvalCache()
     m_rareData->m_evalCodeCache.clear();
 }
 
-template<typename T>
-inline void replaceExistingEntries(Vector<T>& target, Vector<T>& source)
+template<typename T, size_t inlineCapacity, typename U, typename V>
+inline void replaceExistingEntries(Vector<T, inlineCapacity, U>& target, Vector<T, inlineCapacity, V>& source)
 {
     ASSERT(target.size() <= source.size());
     for (size_t i = 0; i < target.size(); ++i)
index a1c641d..c70b6a1 100644 (file)
@@ -220,7 +220,7 @@ namespace JSC {
         {
             if (!m_rareData)
                 return 1;
-            Vector<CallReturnOffsetToBytecodeOffset>& callIndices = m_rareData->m_callReturnIndexVector;
+            Vector<CallReturnOffsetToBytecodeOffset, 0, UnsafeVectorOverflow>& callIndices = m_rareData->m_callReturnIndexVector;
             if (!callIndices.size())
                 return 1;
             RELEASE_ASSERT(index < m_rareData->m_callReturnIndexVector.size());
@@ -748,7 +748,7 @@ namespace JSC {
         bool hasExpressionInfo() { return m_unlinkedCode->hasExpressionInfo(); }
 
 #if ENABLE(JIT)
-        Vector<CallReturnOffsetToBytecodeOffset>& callReturnIndexVector()
+        Vector<CallReturnOffsetToBytecodeOffset, 0, UnsafeVectorOverflow>& callReturnIndexVector()
         {
             createRareDataIfNecessary();
             return m_rareData->m_callReturnIndexVector;
@@ -762,7 +762,7 @@ namespace JSC {
             return m_rareData->m_inlineCallFrames;
         }
         
-        Vector<CodeOriginAtCallReturnOffset>& codeOrigins()
+        Vector<CodeOriginAtCallReturnOffset, 0, UnsafeVectorOverflow>& codeOrigins()
         {
             createRareDataIfNecessary();
             return m_rareData->m_codeOrigins;
@@ -1283,11 +1283,11 @@ namespace JSC {
             EvalCodeCache m_evalCodeCache;
 
 #if ENABLE(JIT)
-            Vector<CallReturnOffsetToBytecodeOffset> m_callReturnIndexVector;
+            Vector<CallReturnOffsetToBytecodeOffset, 0, UnsafeVectorOverflow> m_callReturnIndexVector;
 #endif
 #if ENABLE(DFG_JIT)
             SegmentedVector<InlineCallFrame, 4> m_inlineCallFrames;
-            Vector<CodeOriginAtCallReturnOffset> m_codeOrigins;
+            Vector<CodeOriginAtCallReturnOffset, 0, UnsafeVectorOverflow> m_codeOrigins;
 #endif
         };
 #if COMPILER(MSVC)
index 8cb29f9..4d7678d 100644 (file)
@@ -658,7 +658,7 @@ public:
 
     const Identifier& variable(unsigned index) { return m_variables[index]; }
     unsigned numVariables() { return m_variables.size(); }
-    void adoptVariables(Vector<Identifier>& variables)
+    void adoptVariables(Vector<Identifier, 0, UnsafeVectorOverflow>& variables)
     {
         ASSERT(m_variables.isEmpty());
         m_variables.swap(variables);
@@ -670,7 +670,7 @@ private:
     {
     }
 
-    Vector<Identifier> m_variables;
+    Vector<Identifier, 0, UnsafeVectorOverflow> m_variables;
 
 public:
     static Structure* createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue proto)
index 4ae7fb2..b4a7e9f 100644 (file)
@@ -276,7 +276,7 @@ BytecodeGenerator::BytecodeGenerator(JSGlobalData& globalData, JSScope* scope, F
     bool shouldCaptureAllTheThings = m_shouldEmitDebugHooks || codeBlock->usesEval();
 
     bool capturesAnyArgumentByName = false;
-    Vector<RegisterID*> capturedArguments;
+    Vector<RegisterID*, 0, UnsafeVectorOverflow> capturedArguments;
     if (functionBody->hasCapturedVariables() || shouldCaptureAllTheThings) {
         FunctionParameters& parameters = *functionBody->parameters();
         capturedArguments.resize(parameters.size());
@@ -441,7 +441,7 @@ BytecodeGenerator::BytecodeGenerator(JSGlobalData& globalData, JSScope* scope, E
 
     const DeclarationStacks::VarStack& varStack = evalNode->varStack();
     unsigned numVariables = varStack.size();
-    Vector<Identifier> variables;
+    Vector<Identifier, 0, UnsafeVectorOverflow> variables;
     variables.reserveCapacity(numVariables);
     for (size_t i = 0; i < numVariables; ++i)
         variables.append(*varStack[i].first);
@@ -1662,7 +1662,7 @@ RegisterID* BytecodeGenerator::emitNewArray(RegisterID* dst, ElementNode* elemen
         }
     }
 
-    Vector<RefPtr<RegisterID>, 16> argv;
+    Vector<RefPtr<RegisterID>, 16, UnsafeVectorOverflow> argv;
     for (ElementNode* n = elements; n; n = n->next()) {
         if (n->elision())
             break;
@@ -1849,7 +1849,7 @@ RegisterID* BytecodeGenerator::emitCall(OpcodeID opcodeID, RegisterID* dst, Regi
         emitNode(callArguments.argumentRegister(argument++), n);
 
     // Reserve space for call frame.
-    Vector<RefPtr<RegisterID>, JSStack::CallFrameHeaderSize> callFrame;
+    Vector<RefPtr<RegisterID>, JSStack::CallFrameHeaderSize, UnsafeVectorOverflow> callFrame;
     for (int i = 0; i < JSStack::CallFrameHeaderSize; ++i)
         callFrame.append(newTemporary());
 
@@ -1972,7 +1972,7 @@ RegisterID* BytecodeGenerator::emitConstruct(RegisterID* dst, RegisterID* func,
     }
 
     // Reserve space for call frame.
-    Vector<RefPtr<RegisterID>, JSStack::CallFrameHeaderSize> callFrame;
+    Vector<RefPtr<RegisterID>, JSStack::CallFrameHeaderSize, UnsafeVectorOverflow> callFrame;
     for (int i = 0; i < JSStack::CallFrameHeaderSize; ++i)
         callFrame.append(newTemporary());
 
index 5d5c0e4..fa72cc6 100644 (file)
@@ -76,7 +76,7 @@ namespace JSC {
 
         RefPtr<RegisterID> m_profileHookRegister;
         ArgumentsNode* m_argumentsNode;
-        Vector<RefPtr<RegisterID>, 8> m_argv;
+        Vector<RefPtr<RegisterID>, 8, UnsafeVectorOverflow> m_argv;
     };
 
     struct FinallyContext {
@@ -656,7 +656,7 @@ namespace JSC {
         RegisterID* emitInitLazyRegister(RegisterID*);
 
     public:
-        Vector<UnlinkedInstruction>& instructions() { return m_instructions; }
+        Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>& instructions() { return m_instructions; }
 
         SharedSymbolTable& symbolTable() { return *m_symbolTable; }
 
@@ -691,7 +691,7 @@ namespace JSC {
         void createActivationIfNecessary();
         RegisterID* createLazyRegisterIfNecessary(RegisterID*);
         
-        Vector<UnlinkedInstruction> m_instructions;
+        Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow> m_instructions;
 
         bool m_shouldEmitDebugHooks;
         bool m_shouldEmitProfileHooks;
@@ -721,7 +721,7 @@ namespace JSC {
         int m_dynamicScopeDepth;
         CodeType m_codeType;
 
-        Vector<ControlFlowContext> m_scopeContextStack;
+        Vector<ControlFlowContext, 0, UnsafeVectorOverflow> m_scopeContextStack;
         Vector<SwitchInfo> m_switchContextStack;
         Vector<ForInContext> m_forInContextStack;
         Vector<TryContext> m_tryContextStack;
index 607c0ff..78ee17a 100644 (file)
@@ -35,7 +35,7 @@ namespace JSC {
 // Reference count indicates number of live registers that alias this object.
 class StaticPropertyAnalysis : public RefCounted<StaticPropertyAnalysis> {
 public:
-    static PassRefPtr<StaticPropertyAnalysis> create(Vector<UnlinkedInstruction>* instructions, unsigned target)
+    static PassRefPtr<StaticPropertyAnalysis> create(Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>* instructions, unsigned target)
     {
         return adoptRef(new StaticPropertyAnalysis(instructions, target)); 
     }
@@ -50,13 +50,13 @@ public:
     int propertyIndexCount() { return m_propertyIndexes.size(); }
 
 private:
-    StaticPropertyAnalysis(Vector<UnlinkedInstruction>* instructions, unsigned target)
+    StaticPropertyAnalysis(Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>* instructions, unsigned target)
         : m_instructions(instructions)
         , m_target(target)
     {
     }
 
-    Vector<UnlinkedInstruction>* m_instructions;
+    Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>* m_instructions;
     unsigned m_target;
     typedef HashSet<unsigned, WTF::IntHash<unsigned>, WTF::UnsignedWithZeroKeyHashTraits<unsigned> > PropertyIndexSet;
     PropertyIndexSet m_propertyIndexes;
index 5afe035..c1246b4 100644 (file)
@@ -36,7 +36,7 @@ namespace JSC {
 // is understood to be lossy, and it's OK if it turns out to be wrong sometimes.
 class StaticPropertyAnalyzer {
 public:
-    StaticPropertyAnalyzer(Vector<UnlinkedInstruction>*);
+    StaticPropertyAnalyzer(Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>*);
 
     void createThis(int dst, unsigned offsetOfInlineCapacityOperand);
     void newObject(int dst, unsigned offsetOfInlineCapacityOperand);
@@ -49,12 +49,12 @@ public:
 private:
     void kill(StaticPropertyAnalysis*);
 
-    Vector<UnlinkedInstruction>* m_instructions;
+    Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>* m_instructions;
     typedef HashMap<int, RefPtr<StaticPropertyAnalysis>, WTF::IntHash<int>, WTF::UnsignedWithZeroKeyHashTraits<int> > AnalysisMap;
     AnalysisMap m_analyses;
 };
 
-inline StaticPropertyAnalyzer::StaticPropertyAnalyzer(Vector<UnlinkedInstruction>* instructions)
+inline StaticPropertyAnalyzer::StaticPropertyAnalyzer(Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>* instructions)
     : m_instructions(instructions)
 {
 }
index 92b959e..f7f43e3 100644 (file)
@@ -162,7 +162,7 @@ void JITCompiler::link(LinkBuffer& linkBuffer)
         m_codeBlock->callReturnIndexVector().append(CallReturnOffsetToBytecodeOffset(returnAddressOffset, exceptionInfo));
     }
 
-    Vector<CodeOriginAtCallReturnOffset>& codeOrigins = m_codeBlock->codeOrigins();
+    Vector<CodeOriginAtCallReturnOffset, 0, UnsafeVectorOverflow>& codeOrigins = m_codeBlock->codeOrigins();
     codeOrigins.resize(m_exceptionChecks.size());
     
     for (unsigned i = 0; i < m_exceptionChecks.size(); ++i) {
index b4264b3..05b40ff 100644 (file)
@@ -363,12 +363,12 @@ void Heap::markProtectedObjects(HeapRootVisitor& heapRootVisitor)
         heapRootVisitor.visit(&it->key);
 }
 
-void Heap::pushTempSortVector(Vector<ValueStringPair>* tempVector)
+void Heap::pushTempSortVector(Vector<ValueStringPair, 0, UnsafeVectorOverflow>* tempVector)
 {
     m_tempSortingVectors.append(tempVector);
 }
 
-void Heap::popTempSortVector(Vector<ValueStringPair>* tempVector)
+void Heap::popTempSortVector(Vector<ValueStringPair, 0, UnsafeVectorOverflow>* tempVector)
 {
     ASSERT_UNUSED(tempVector, tempVector == m_tempSortingVectors.last());
     m_tempSortingVectors.removeLast();
@@ -376,11 +376,11 @@ void Heap::popTempSortVector(Vector<ValueStringPair>* tempVector)
 
 void Heap::markTempSortVectors(HeapRootVisitor& heapRootVisitor)
 {
-    typedef Vector<Vector<ValueStringPair>* > VectorOfValueStringVectors;
+    typedef Vector<Vector<ValueStringPair, 0, UnsafeVectorOverflow>* > VectorOfValueStringVectors;
 
     VectorOfValueStringVectors::iterator end = m_tempSortingVectors.end();
     for (VectorOfValueStringVectors::iterator it = m_tempSortingVectors.begin(); it != end; ++it) {
-        Vector<ValueStringPair>* tempSortingVector = *it;
+        Vector<ValueStringPair, 0, UnsafeVectorOverflow>* tempSortingVector = *it;
 
         Vector<ValueStringPair>::iterator vectorEnd = tempSortingVector->end();
         for (Vector<ValueStringPair>::iterator vectorIt = tempSortingVector->begin(); vectorIt != vectorEnd; ++vectorIt) {
index a342cbb..2cafd57 100644 (file)
@@ -150,8 +150,8 @@ namespace JSC {
         JS_EXPORT_PRIVATE PassOwnPtr<TypeCountSet> objectTypeCounts();
         void showStatistics();
 
-        void pushTempSortVector(Vector<ValueStringPair>*);
-        void popTempSortVector(Vector<ValueStringPair>*);
+        void pushTempSortVector(Vector<ValueStringPair, 0, UnsafeVectorOverflow>*);
+        void popTempSortVector(Vector<ValueStringPair, 0, UnsafeVectorOverflow>*);
     
         HashSet<MarkedArgumentBuffer*>& markListSet() { if (!m_markListSet) m_markListSet = adoptPtr(new HashSet<MarkedArgumentBuffer*>); return *m_markListSet; }
         
@@ -242,7 +242,7 @@ namespace JSC {
 #endif
 
         ProtectCountSet m_protectedValues;
-        Vector<Vector<ValueStringPair>* > m_tempSortingVectors;
+        Vector<Vector<ValueStringPair, 0, UnsafeVectorOverflow>* > m_tempSortingVectors;
         OwnPtr<HashSet<MarkedArgumentBuffer*> > m_markListSet;
 
         MachineThreads m_machineThreads;
index 8924c2a..f76f01d 100644 (file)
@@ -654,10 +654,10 @@ private:
     JSGlobalData* m_globalData;
     SourceCode* m_sourceCode;
     Scope m_scope;
-    Vector<BinaryOperand, 10> m_binaryOperandStack;
-    Vector<AssignmentInfo, 10> m_assignmentInfoStack;
-    Vector<pair<int, int>, 10> m_binaryOperatorStack;
-    Vector<pair<int, int>, 10> m_unaryTokenStack;
+    Vector<BinaryOperand, 10, UnsafeVectorOverflow> m_binaryOperandStack;
+    Vector<AssignmentInfo, 10, UnsafeVectorOverflow> m_assignmentInfoStack;
+    Vector<pair<int, int>, 10, UnsafeVectorOverflow> m_binaryOperatorStack;
+    Vector<pair<int, int>, 10, UnsafeVectorOverflow> m_unaryTokenStack;
     int m_evalCount;
 };
 
index 2152fbc..137bb18 100644 (file)
@@ -749,7 +749,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncSort(ExecState* exec)
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
 
-    Vector<uint32_t> keys;
+    Vector<uint32_t, 0, UnsafeVectorOverflow> keys;
     for (size_t i = 0; i < nameArray.size(); ++i) {
         PropertyName name = nameArray[i];
         uint32_t index = name.asIndex();
index 7c717ba..5f81229 100644 (file)
@@ -349,7 +349,7 @@ bool JSArray::setLengthWithArrayStorage(ExecState* exec, unsigned newLength, boo
 
         if (newLength < length) {
             // Copy any keys we might be interested in into a vector.
-            Vector<unsigned> keys;
+            Vector<unsigned, 0, UnsafeVectorOverflow> keys;
             keys.reserveInitialCapacity(min(map->size(), static_cast<size_t>(length - newLength)));
             SparseArrayValueMap::const_iterator end = map->end();
             for (SparseArrayValueMap::const_iterator it = map->begin(); it != end; ++it) {
@@ -1101,7 +1101,7 @@ void JSArray::sortCompactedVector(ExecState* exec, ContiguousData<StorageType> d
     // buffer. Besides, this protects us from crashing if some objects have custom toString methods that return
     // random or otherwise changing results, effectively making compare function inconsistent.
         
-    Vector<ValueStringPair> values(relevantLength);
+    Vector<ValueStringPair, 0, UnsafeVectorOverflow> values(relevantLength);
     if (!values.begin()) {
         throwOutOfMemoryError(exec);
         return;
@@ -1247,7 +1247,7 @@ struct AVLTreeAbstractorForArrayCompare {
     typedef JSValue key;
     typedef int32_t size;
 
-    Vector<AVLTreeNodeForArrayCompare> m_nodes;
+    Vector<AVLTreeNodeForArrayCompare, 0, UnsafeVectorOverflow> m_nodes;
     ExecState* m_exec;
     JSValue m_compareFunction;
     CallType m_compareCallType;
index 41f0e51..f78c5d7 100644 (file)
@@ -127,7 +127,7 @@ private:
     CallData m_replacerCallData;
     const String m_gap;
 
-    Vector<Holder, 16> m_holderStack;
+    Vector<Holder, 16, UnsafeVectorOverflow> m_holderStack;
     String m_repeatedGap;
     String m_indent;
 };
@@ -645,12 +645,12 @@ enum WalkerState { StateUnknown, ArrayStartState, ArrayStartVisitMember, ArrayEn
                                  ObjectStartState, ObjectStartVisitMember, ObjectEndVisitMember };
 NEVER_INLINE JSValue Walker::walk(JSValue unfiltered)
 {
-    Vector<PropertyNameArray, 16> propertyStack;
-    Vector<uint32_t, 16> indexStack;
+    Vector<PropertyNameArray, 16, UnsafeVectorOverflow> propertyStack;
+    Vector<uint32_t, 16, UnsafeVectorOverflow> indexStack;
     LocalStack<JSObject, 16> objectStack(m_exec->globalData());
     LocalStack<JSArray, 16> arrayStack(m_exec->globalData());
     
-    Vector<WalkerState, 16> stateStack;
+    Vector<WalkerState, 16, UnsafeVectorOverflow> stateStack;
     WalkerState state = StateUnknown;
     JSValue inValue = unfiltered;
     JSValue outValue = jsNull();
index d177e32..1bfe8d2 100644 (file)
@@ -1506,7 +1506,7 @@ void JSObject::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNa
         }
         
         if (SparseArrayValueMap* map = storage->m_sparseMap.get()) {
-            Vector<unsigned> keys;
+            Vector<unsigned, 0, UnsafeVectorOverflow> keys;
             keys.reserveInitialCapacity(map->size());
             
             SparseArrayValueMap::const_iterator end = map->end();
index dc369ca..e18d8ba 100644 (file)
@@ -154,7 +154,7 @@ void JSRopeString::resolveRope(ExecState* exec) const
 void JSRopeString::resolveRopeSlowCase8(LChar* buffer) const
 {
     LChar* position = buffer + m_length; // We will be working backwards over the rope.
-    Vector<JSString*, 32> workQueue; // Putting strings into a Vector is only OK because there are no GC points in this method.
+    Vector<JSString*, 32, UnsafeVectorOverflow> workQueue; // Putting strings into a Vector is only OK because there are no GC points in this method.
     
     for (size_t i = 0; i < s_maxInternalRopeLength && m_fibers[i]; ++i) {
         workQueue.append(m_fibers[i].get());
@@ -186,7 +186,7 @@ void JSRopeString::resolveRopeSlowCase8(LChar* buffer) const
 void JSRopeString::resolveRopeSlowCase(UChar* buffer) const
 {
     UChar* position = buffer + m_length; // We will be working backwards over the rope.
-    Vector<JSString*, 32> workQueue; // These strings are kept alive by the parent rope, so using a Vector is OK.
+    Vector<JSString*, 32, UnsafeVectorOverflow> workQueue; // These strings are kept alive by the parent rope, so using a Vector is OK.
 
     for (size_t i = 0; i < s_maxInternalRopeLength && m_fibers[i]; ++i)
         workQueue.append(m_fibers[i].get());
index e7778e4..5d4960e 100644 (file)
@@ -137,8 +137,8 @@ public:
     }
 
 protected:
-    Vector<LChar, 64> buffer8;
-    Vector<UChar, 64> buffer16;
+    Vector<LChar, 64, UnsafeVectorOverflow> buffer8;
+    Vector<UChar, 64, UnsafeVectorOverflow> buffer16;
     bool m_okay;
     bool m_is8Bit;
 };
index 3d6926c..47f8020 100644 (file)
@@ -546,8 +546,8 @@ JSValue LiteralParser<CharType>::parse(ParserState initialState)
     ParserState state = initialState;
     MarkedArgumentBuffer objectStack;
     JSValue lastValue;
-    Vector<ParserState, 16> stateStack;
-    Vector<Identifier, 16> identifierStack;
+    Vector<ParserState, 16, UnsafeVectorOverflow> stateStack;
+    Vector<Identifier, 16, UnsafeVectorOverflow> identifierStack;
     while (1) {
         switch(state) {
             startParseArray:
index 75445e9..0947da2 100644 (file)
@@ -1,3 +1,53 @@
+2013-04-07  Oliver Hunt  <oliver@apple.com>
+
+        Add bounds checking for WTF::Vector::operator[]
+        https://bugs.webkit.org/show_bug.cgi?id=89600
+
+        Reviewed by Filip Pizlo.
+
+        Add a template parameter to Vector<> that controls whether
+        bounds checking is performed in release builds or not.
+        Defaults to crashing on overflow.
+
+        * wtf/Forward.h:
+        (WTF):
+        * wtf/Vector.h:
+        (WTF):
+        (Vector):
+        (WTF::Vector::at):
+        (WTF::Vector::removeLast):
+        (WTF::::Vector):
+        (WTF::=):
+        (WTF::::contains):
+        (WTF::::find):
+        (WTF::::reverseFind):
+        (WTF::::fill):
+        (WTF::::appendRange):
+        (WTF::::expandCapacity):
+        (WTF::::tryExpandCapacity):
+        (WTF::::resize):
+        (WTF::::shrink):
+        (WTF::::grow):
+        (WTF::::reserveCapacity):
+        (WTF::::tryReserveCapacity):
+        (WTF::::reserveInitialCapacity):
+        (WTF::::shrinkCapacity):
+        (WTF::::append):
+        (WTF::::tryAppend):
+        (WTF::::appendSlowCase):
+        (WTF::::uncheckedAppend):
+        (WTF::::appendVector):
+        (WTF::::insert):
+        (WTF::::prepend):
+        (WTF::::remove):
+        (WTF::::reverse):
+        (WTF::::releaseBuffer):
+        (WTF::::checkConsistency):
+        (WTF::deleteAllValues):
+        (WTF::swap):
+        (WTF::operator==):
+        (WTF::operator!=):
+
 2013-04-07  Patrick Gansterer  <paroga@webkit.org>
 
         [WIN] Fix problems with export macros of AutodrainedPool
index 4a79944..dd4acbb 100644 (file)
@@ -74,8 +74,8 @@ ENUM_CLASS(CheckedState)
 } ENUM_CLASS_END(CheckedState);
     
 class CrashOnOverflow {
-protected:
-    NO_RETURN_DUE_TO_CRASH void overflowed()
+public:
+    static NO_RETURN_DUE_TO_CRASH void overflowed()
     {
         CRASH();
     }
index 5c2acfe..a456d4c 100644 (file)
@@ -24,6 +24,7 @@
 #include <stddef.h>
 
 namespace WTF {
+
     template<typename T> class Function;
     template<typename T> class ListRefPtr;
     template<typename T> class OwnArrayPtr;
@@ -32,7 +33,7 @@ namespace WTF {
     template<typename T> class PassOwnPtr;
     template<typename T> class PassRefPtr;
     template<typename T> class RefPtr;
-    template<typename T, size_t inlineCapacity> class Vector;
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> class Vector;
     
     class ArrayBuffer;
     class ArrayBufferView;
index a169821..4890870 100644 (file)
@@ -329,8 +329,8 @@ void MemoryInstrumentation::Wrapper<T>::callReportMemoryUsage(MemoryObjectInfo*
 }
 
 // Link time guard for classes with external memory instrumentation.
-template<typename T, size_t inlineCapacity> class Vector;
-template<typename T, size_t inlineCapacity> void reportMemoryUsage(const Vector<T, inlineCapacity>*, MemoryObjectInfo*);
+template<typename T, size_t inlineCapacity, typename OverflowHandler> class Vector;
+template<typename T, size_t inlineCapacity, typename OverflowHandler> void reportMemoryUsage(const Vector<T, inlineCapacity, OverflowHandler>*, MemoryObjectInfo*);
 
 template<typename KeyArg, typename MappedArg, typename HashArg, typename KeyTraitsArg, typename MappedTraitsArg> class HashMap;
 template<typename KeyArg, typename MappedArg, typename HashArg, typename KeyTraitsArg, typename MappedTraitsArg> void reportMemoryUsage(const HashMap<KeyArg, MappedArg, HashArg, KeyTraitsArg, MappedTraitsArg>*, MemoryObjectInfo*);
index 8f8ce89..057108a 100644 (file)
@@ -22,7 +22,9 @@
 #define WTF_Vector_h
 
 #include <wtf/Alignment.h>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/FastAllocBase.h>
+#include <wtf/Forward.h>
 #include <wtf/Noncopyable.h>
 #include <wtf/NotFound.h>
 #include <wtf/StdLibExtras.h>
@@ -496,8 +498,15 @@ namespace WTF {
 
         AlignedBuffer<m_inlineBufferSize, WTF_ALIGN_OF(T)> m_inlineBuffer;
     };
+    
+    struct UnsafeVectorOverflow {
+        static NO_RETURN_DUE_TO_ASSERT void overflowed()
+        {
+            ASSERT_NOT_REACHED();
+        }
+    };
 
-    template<typename T, size_t inlineCapacity = 0>
+    template<typename T, size_t inlineCapacity = 0, typename OverflowHandler = CrashOnOverflow>
     class Vector {
         WTF_MAKE_FAST_ALLOCATED;
     private:
@@ -532,12 +541,12 @@ namespace WTF {
         }
 
         Vector(const Vector&);
-        template<size_t otherCapacity
-        Vector(const Vector<T, otherCapacity>&);
+        template<size_t otherCapacity, typename otherOverflowBehaviour>
+        Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&);
 
         Vector& operator=(const Vector&);
-        template<size_t otherCapacity
-        Vector& operator=(const Vector<T, otherCapacity>&);
+        template<size_t otherCapacity, typename otherOverflowBehaviour>
+        Vector& operator=(const Vector<T, otherCapacity, otherOverflowBehaviour>&);
 
 #if COMPILER_SUPPORTS(CXX_RVALUE_REFERENCES)
         Vector(Vector&&);
@@ -549,18 +558,32 @@ namespace WTF {
         bool isEmpty() const { return !size(); }
 
         T& at(size_t i) 
-        { 
-            ASSERT_WITH_SECURITY_IMPLICATION(i < size());
+        {
+            if (UNLIKELY(i >= size()))
+                OverflowHandler::overflowed();
             return m_buffer.buffer()[i]; 
         }
         const T& at(size_t i) const 
         {
-            ASSERT_WITH_SECURITY_IMPLICATION(i < size());
+            if (UNLIKELY(i >= size()))
+                OverflowHandler::overflowed();
             return m_buffer.buffer()[i]; 
         }
+        T& at(Checked<size_t> i)
+        {
+            RELEASE_ASSERT(i < size());
+            return m_buffer.buffer()[i];
+        }
+        const T& at(Checked<size_t> i) const
+        {
+            RELEASE_ASSERT(i < size());
+            return m_buffer.buffer()[i];
+        }
 
         T& operator[](size_t i) { return at(i); }
         const T& operator[](size_t i) const { return at(i); }
+        T& operator[](Checked<size_t> i) { return at(i); }
+        const T& operator[](Checked<size_t> i) const { return at(i); }
 
         T* data() { return m_buffer.buffer(); }
         const T* data() const { return m_buffer.buffer(); }
@@ -615,7 +638,8 @@ namespace WTF {
 
         void removeLast() 
         {
-            ASSERT(!isEmpty());
+            if (UNLIKELY(isEmpty()))
+                OverflowHandler::overflowed();
             shrink(size() - 1); 
         }
 
@@ -634,7 +658,7 @@ namespace WTF {
 
         T* releaseBuffer();
 
-        void swap(Vector<T, inlineCapacity>& other)
+        void swap(Vector<T, inlineCapacity, OverflowHandler>& other)
         {
             std::swap(m_size, other.m_size);
             m_buffer.swap(other.m_buffer);
@@ -656,8 +680,8 @@ namespace WTF {
         Buffer m_buffer;
     };
 
-    template<typename T, size_t inlineCapacity>
-    Vector<T, inlineCapacity>::Vector(const Vector& other)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    Vector<T, inlineCapacity, OverflowHandler>::Vector(const Vector& other)
         : m_size(other.size())
         , m_buffer(other.capacity())
     {
@@ -665,9 +689,9 @@ namespace WTF {
             TypeOperations::uninitializedCopy(other.begin(), other.end(), begin());
     }
 
-    template<typename T, size_t inlineCapacity>
-    template<size_t otherCapacity
-    Vector<T, inlineCapacity>::Vector(const Vector<T, otherCapacity>& other)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    template<size_t otherCapacity, typename otherOverflowBehaviour>
+    Vector<T, inlineCapacity, OverflowHandler>::Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>& other)
         : m_size(other.size())
         , m_buffer(other.capacity())
     {
@@ -675,8 +699,8 @@ namespace WTF {
             TypeOperations::uninitializedCopy(other.begin(), other.end(), begin());
     }
 
-    template<typename T, size_t inlineCapacity>
-    Vector<T, inlineCapacity>& Vector<T, inlineCapacity>::operator=(const Vector<T, inlineCapacity>& other)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    Vector<T, inlineCapacity, OverflowHandler>& Vector<T, inlineCapacity, OverflowHandler>::operator=(const Vector<T, inlineCapacity, OverflowHandler>& other)
     {
         if (&other == this)
             return *this;
@@ -705,9 +729,9 @@ namespace WTF {
 
     inline bool typelessPointersAreEqual(const void* a, const void* b) { return a == b; }
 
-    template<typename T, size_t inlineCapacity>
-    template<size_t otherCapacity
-    Vector<T, inlineCapacity>& Vector<T, inlineCapacity>::operator=(const Vector<T, otherCapacity>& other)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    template<size_t otherCapacity, typename otherOverflowBehaviour>
+    Vector<T, inlineCapacity, OverflowHandler>& Vector<T, inlineCapacity, OverflowHandler>::operator=(const Vector<T, otherCapacity, otherOverflowBehaviour>& other)
     {
         // If the inline capacities match, we should call the more specific
         // template.  If the inline capacities don't match, the two objects
@@ -737,8 +761,8 @@ namespace WTF {
     }
 
 #if COMPILER_SUPPORTS(CXX_RVALUE_REFERENCES)
-    template<typename T, size_t inlineCapacity>
-    Vector<T, inlineCapacity>::Vector(Vector<T, inlineCapacity>&& other)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    Vector<T, inlineCapacity, OverflowHandler>::Vector(Vector<T, inlineCapacity, OverflowHandler>&& other)
         : m_size(0)
     {
         // It's a little weird to implement a move constructor using swap but this way we
@@ -746,24 +770,24 @@ namespace WTF {
         swap(other);
     }
 
-    template<typename T, size_t inlineCapacity>
-    Vector<T, inlineCapacity>& Vector<T, inlineCapacity>::operator=(Vector<T, inlineCapacity>&& other)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    Vector<T, inlineCapacity, OverflowHandler>& Vector<T, inlineCapacity, OverflowHandler>::operator=(Vector<T, inlineCapacity, OverflowHandler>&& other)
     {
         swap(other);
         return *this;
     }
 #endif
 
-    template<typename T, size_t inlineCapacity>
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
     template<typename U>
-    bool Vector<T, inlineCapacity>::contains(const U& value) const
+    bool Vector<T, inlineCapacity, OverflowHandler>::contains(const U& value) const
     {
         return find(value) != notFound;
     }
  
-    template<typename T, size_t inlineCapacity>
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
     template<typename U>
-    size_t Vector<T, inlineCapacity>::find(const U& value) const
+    size_t Vector<T, inlineCapacity, OverflowHandler>::find(const U& value) const
     {
         for (size_t i = 0; i < size(); ++i) {
             if (at(i) == value)
@@ -772,9 +796,9 @@ namespace WTF {
         return notFound;
     }
 
-    template<typename T, size_t inlineCapacity>
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
     template<typename U>
-    size_t Vector<T, inlineCapacity>::reverseFind(const U& value) const
+    size_t Vector<T, inlineCapacity, OverflowHandler>::reverseFind(const U& value) const
     {
         for (size_t i = 1; i <= size(); ++i) {
             const size_t index = size() - i;
@@ -784,8 +808,8 @@ namespace WTF {
         return notFound;
     }
 
-    template<typename T, size_t inlineCapacity>
-    void Vector<T, inlineCapacity>::fill(const T& val, size_t newSize)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void Vector<T, inlineCapacity, OverflowHandler>::fill(const T& val, size_t newSize)
     {
         if (size() > newSize)
             shrink(newSize);
@@ -801,22 +825,22 @@ namespace WTF {
         m_size = newSize;
     }
 
-    template<typename T, size_t inlineCapacity>
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
     template<typename Iterator>
-    void Vector<T, inlineCapacity>::appendRange(Iterator start, Iterator end)
+    void Vector<T, inlineCapacity, OverflowHandler>::appendRange(Iterator start, Iterator end)
     {
         for (Iterator it = start; it != end; ++it)
             append(*it);
     }
 
-    template<typename T, size_t inlineCapacity>
-    void Vector<T, inlineCapacity>::expandCapacity(size_t newMinCapacity)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void Vector<T, inlineCapacity, OverflowHandler>::expandCapacity(size_t newMinCapacity)
     {
         reserveCapacity(std::max(newMinCapacity, std::max(static_cast<size_t>(16), capacity() + capacity() / 4 + 1)));
     }
     
-    template<typename T, size_t inlineCapacity>
-    const T* Vector<T, inlineCapacity>::expandCapacity(size_t newMinCapacity, const T* ptr)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    const T* Vector<T, inlineCapacity, OverflowHandler>::expandCapacity(size_t newMinCapacity, const T* ptr)
     {
         if (ptr < begin() || ptr >= end()) {
             expandCapacity(newMinCapacity);
@@ -827,14 +851,14 @@ namespace WTF {
         return begin() + index;
     }
 
-    template<typename T, size_t inlineCapacity>
-    bool Vector<T, inlineCapacity>::tryExpandCapacity(size_t newMinCapacity)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    bool Vector<T, inlineCapacity, OverflowHandler>::tryExpandCapacity(size_t newMinCapacity)
     {
         return tryReserveCapacity(std::max(newMinCapacity, std::max(static_cast<size_t>(16), capacity() + capacity() / 4 + 1)));
     }
     
-    template<typename T, size_t inlineCapacity>
-    const T* Vector<T, inlineCapacity>::tryExpandCapacity(size_t newMinCapacity, const T* ptr)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    const T* Vector<T, inlineCapacity, OverflowHandler>::tryExpandCapacity(size_t newMinCapacity, const T* ptr)
     {
         if (ptr < begin() || ptr >= end()) {
             if (!tryExpandCapacity(newMinCapacity))
@@ -847,15 +871,15 @@ namespace WTF {
         return begin() + index;
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    inline U* Vector<T, inlineCapacity>::expandCapacity(size_t newMinCapacity, U* ptr)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    inline U* Vector<T, inlineCapacity, OverflowHandler>::expandCapacity(size_t newMinCapacity, U* ptr)
     {
         expandCapacity(newMinCapacity);
         return ptr;
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline void Vector<T, inlineCapacity>::resize(size_t size)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::resize(size_t size)
     {
         if (size <= m_size)
             TypeOperations::destruct(begin() + size, end());
@@ -869,16 +893,16 @@ namespace WTF {
         m_size = size;
     }
 
-    template<typename T, size_t inlineCapacity>
-    void Vector<T, inlineCapacity>::shrink(size_t size)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void Vector<T, inlineCapacity, OverflowHandler>::shrink(size_t size)
     {
         ASSERT(size <= m_size);
         TypeOperations::destruct(begin() + size, end());
         m_size = size;
     }
 
-    template<typename T, size_t inlineCapacity>
-    void Vector<T, inlineCapacity>::grow(size_t size)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void Vector<T, inlineCapacity, OverflowHandler>::grow(size_t size)
     {
         ASSERT(size >= m_size);
         if (size > capacity())
@@ -888,8 +912,8 @@ namespace WTF {
         m_size = size;
     }
 
-    template<typename T, size_t inlineCapacity>
-    void Vector<T, inlineCapacity>::reserveCapacity(size_t newCapacity)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void Vector<T, inlineCapacity, OverflowHandler>::reserveCapacity(size_t newCapacity)
     {
         if (newCapacity <= capacity())
             return;
@@ -901,8 +925,8 @@ namespace WTF {
         m_buffer.deallocateBuffer(oldBuffer);
     }
     
-    template<typename T, size_t inlineCapacity>
-    bool Vector<T, inlineCapacity>::tryReserveCapacity(size_t newCapacity)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    bool Vector<T, inlineCapacity, OverflowHandler>::tryReserveCapacity(size_t newCapacity)
     {
         if (newCapacity <= capacity())
             return true;
@@ -916,8 +940,8 @@ namespace WTF {
         return true;
     }
     
-    template<typename T, size_t inlineCapacity>
-    inline void Vector<T, inlineCapacity>::reserveInitialCapacity(size_t initialCapacity)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::reserveInitialCapacity(size_t initialCapacity)
     {
         ASSERT(!m_size);
         ASSERT(capacity() == inlineCapacity);
@@ -925,8 +949,8 @@ namespace WTF {
             m_buffer.allocateBuffer(initialCapacity);
     }
     
-    template<typename T, size_t inlineCapacity>
-    void Vector<T, inlineCapacity>::shrinkCapacity(size_t newCapacity)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void Vector<T, inlineCapacity, OverflowHandler>::shrinkCapacity(size_t newCapacity)
     {
         if (newCapacity >= capacity())
             return;
@@ -955,8 +979,8 @@ namespace WTF {
     // because for instance it allows a PassRefPtr to be appended to a RefPtr vector
     // without refcount thrash.
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    void Vector<T, inlineCapacity>::append(const U* data, size_t dataSize)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    void Vector<T, inlineCapacity, OverflowHandler>::append(const U* data, size_t dataSize)
     {
         size_t newSize = m_size + dataSize;
         if (newSize > capacity()) {
@@ -972,8 +996,8 @@ namespace WTF {
         m_size = newSize;
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    bool Vector<T, inlineCapacity>::tryAppend(const U* data, size_t dataSize)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    bool Vector<T, inlineCapacity, OverflowHandler>::tryAppend(const U* data, size_t dataSize)
     {
         size_t newSize = m_size + dataSize;
         if (newSize > capacity()) {
@@ -991,8 +1015,8 @@ namespace WTF {
         return true;
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    ALWAYS_INLINE void Vector<T, inlineCapacity>::append(const U& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    ALWAYS_INLINE void Vector<T, inlineCapacity, OverflowHandler>::append(const U& val)
     {
         if (size() != capacity()) {
             new (NotNull, end()) T(val);
@@ -1003,8 +1027,8 @@ namespace WTF {
         appendSlowCase(val);
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    void Vector<T, inlineCapacity>::appendSlowCase(const U& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    void Vector<T, inlineCapacity, OverflowHandler>::appendSlowCase(const U& val)
     {
         ASSERT(size() == capacity());
 
@@ -1020,8 +1044,8 @@ namespace WTF {
     // This version of append saves a branch in the case where you know that the
     // vector's capacity is large enough for the append to succeed.
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    inline void Vector<T, inlineCapacity>::uncheckedAppend(const U& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::uncheckedAppend(const U& val)
     {
         ASSERT(size() < capacity());
         const U* ptr = &val;
@@ -1032,20 +1056,20 @@ namespace WTF {
     // This method should not be called append, a better name would be appendElements.
     // It could also be eliminated entirely, and call sites could just use
     // appendRange(val.begin(), val.end()).
-    template<typename T, size_t inlineCapacity> template<size_t otherCapacity>
-    inline void Vector<T, inlineCapacity>::append(const Vector<T, otherCapacity>& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<size_t otherCapacity>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::append(const Vector<T, otherCapacity>& val)
     {
         append(val.begin(), val.size());
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U, size_t otherCapacity>
-    inline void Vector<T, inlineCapacity>::appendVector(const Vector<U, otherCapacity>& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U, size_t otherCapacity>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::appendVector(const Vector<U, otherCapacity>& val)
     {
         append(val.begin(), val.size());
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    void Vector<T, inlineCapacity>::insert(size_t position, const U* data, size_t dataSize)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    void Vector<T, inlineCapacity, OverflowHandler>::insert(size_t position, const U* data, size_t dataSize)
     {
         ASSERT_WITH_SECURITY_IMPLICATION(position <= size());
         size_t newSize = m_size + dataSize;
@@ -1063,8 +1087,8 @@ namespace WTF {
         m_size = newSize;
     }
      
-    template<typename T, size_t inlineCapacity> template<typename U>
-    inline void Vector<T, inlineCapacity>::insert(size_t position, const U& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::insert(size_t position, const U& val)
     {
         ASSERT_WITH_SECURITY_IMPLICATION(position <= size());
         const U* data = &val;
@@ -1079,32 +1103,32 @@ namespace WTF {
         ++m_size;
     }
    
-    template<typename T, size_t inlineCapacity> template<typename U, size_t c>
-    inline void Vector<T, inlineCapacity>::insert(size_t position, const Vector<U, c>& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U, size_t c>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::insert(size_t position, const Vector<U, c>& val)
     {
         insert(position, val.begin(), val.size());
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    void Vector<T, inlineCapacity>::prepend(const U* data, size_t dataSize)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    void Vector<T, inlineCapacity, OverflowHandler>::prepend(const U* data, size_t dataSize)
     {
         insert(0, data, dataSize);
     }
 
-    template<typename T, size_t inlineCapacity> template<typename U>
-    inline void Vector<T, inlineCapacity>::prepend(const U& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::prepend(const U& val)
     {
         insert(0, val);
     }
    
-    template<typename T, size_t inlineCapacity> template<typename U, size_t c>
-    inline void Vector<T, inlineCapacity>::prepend(const Vector<U, c>& val)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler> template<typename U, size_t c>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::prepend(const Vector<U, c>& val)
     {
         insert(0, val.begin(), val.size());
     }
     
-    template<typename T, size_t inlineCapacity>
-    inline void Vector<T, inlineCapacity>::remove(size_t position)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::remove(size_t position)
     {
         ASSERT_WITH_SECURITY_IMPLICATION(position < size());
         T* spot = begin() + position;
@@ -1113,8 +1137,8 @@ namespace WTF {
         --m_size;
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline void Vector<T, inlineCapacity>::remove(size_t position, size_t length)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::remove(size_t position, size_t length)
     {
         ASSERT_WITH_SECURITY_IMPLICATION(position <= size());
         ASSERT_WITH_SECURITY_IMPLICATION(position + length <= size());
@@ -1125,15 +1149,15 @@ namespace WTF {
         m_size -= length;
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline void Vector<T, inlineCapacity>::reverse()
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::reverse()
     {
         for (size_t i = 0; i < m_size / 2; ++i)
             std::swap(at(i), at(m_size - 1 - i));
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline T* Vector<T, inlineCapacity>::releaseBuffer()
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline T* Vector<T, inlineCapacity, OverflowHandler>::releaseBuffer()
     {
         T* buffer = m_buffer.releaseBuffer();
         if (inlineCapacity && !buffer && m_size) {
@@ -1148,8 +1172,8 @@ namespace WTF {
         return buffer;
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline void Vector<T, inlineCapacity>::checkConsistency()
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void Vector<T, inlineCapacity, OverflowHandler>::checkConsistency()
     {
 #if !ASSERT_DISABLED
         for (size_t i = 0; i < size(); ++i)
@@ -1157,23 +1181,23 @@ namespace WTF {
 #endif
     }
 
-    template<typename T, size_t inlineCapacity>
-    void deleteAllValues(const Vector<T, inlineCapacity>& collection)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    void deleteAllValues(const Vector<T, inlineCapacity, OverflowHandler>& collection)
     {
-        typedef typename Vector<T, inlineCapacity>::const_iterator iterator;
+        typedef typename Vector<T, inlineCapacity, OverflowHandler>::const_iterator iterator;
         iterator end = collection.end();
         for (iterator it = collection.begin(); it != end; ++it)
             delete *it;
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline void swap(Vector<T, inlineCapacity>& a, Vector<T, inlineCapacity>& b)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline void swap(Vector<T, inlineCapacity, OverflowHandler>& a, Vector<T, inlineCapacity, OverflowHandler>& b)
     {
         a.swap(b);
     }
 
-    template<typename T, size_t inlineCapacity>
-    bool operator==(const Vector<T, inlineCapacity>& a, const Vector<T, inlineCapacity>& b)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    bool operator==(const Vector<T, inlineCapacity, OverflowHandler>& a, const Vector<T, inlineCapacity, OverflowHandler>& b)
     {
         if (a.size() != b.size())
             return false;
@@ -1181,8 +1205,8 @@ namespace WTF {
         return VectorTypeOperations<T>::compare(a.data(), b.data(), a.size());
     }
 
-    template<typename T, size_t inlineCapacity>
-    inline bool operator!=(const Vector<T, inlineCapacity>& a, const Vector<T, inlineCapacity>& b)
+    template<typename T, size_t inlineCapacity, typename OverflowHandler>
+    inline bool operator!=(const Vector<T, inlineCapacity, OverflowHandler>& a, const Vector<T, inlineCapacity, OverflowHandler>& b)
     {
         return !(a == b);
     }
@@ -1200,5 +1224,6 @@ namespace WTF {
 } // namespace WTF
 
 using WTF::Vector;
+using WTF::UnsafeVectorOverflow;
 
 #endif // WTF_Vector_h
index fb4a670..ab1199f 100644 (file)
@@ -444,8 +444,8 @@ public:
     static unsigned dataOffset() { return OBJECT_OFFSETOF(StringImpl, m_data8); }
     static PassRefPtr<StringImpl> createWithTerminatingNullCharacter(const StringImpl&);
 
-    template<typename CharType, size_t inlineCapacity>
-    static PassRefPtr<StringImpl> adopt(Vector<CharType, inlineCapacity>& vector)
+    template<typename CharType, size_t inlineCapacity, typename OverflowHandler>
+    static PassRefPtr<StringImpl> adopt(Vector<CharType, inlineCapacity, OverflowHandler>& vector)
     {
         if (size_t size = vector.size()) {
             ASSERT(vector.data());
index 9c0fc27..d2d1af0 100644 (file)
@@ -116,8 +116,8 @@ public:
     // which will sometimes return a null string when vector.data() is null
     // which can only occur for vectors without inline capacity.
     // See: https://bugs.webkit.org/show_bug.cgi?id=109792
-    template<size_t inlineCapacity>
-    explicit String(const Vector<UChar, inlineCapacity>&);
+    template<size_t inlineCapacity, typename OverflowHandler>
+    explicit String(const Vector<UChar, inlineCapacity, OverflowHandler>&);
 
     // Construct a string with UTF-16 data, from a null-terminated source.
     WTF_EXPORT_STRING_API String(const UChar*);
@@ -160,8 +160,8 @@ public:
 
     static String adopt(StringBuffer<LChar>& buffer) { return StringImpl::adopt(buffer); }
     static String adopt(StringBuffer<UChar>& buffer) { return StringImpl::adopt(buffer); }
-    template<typename CharacterType, size_t inlineCapacity>
-    static String adopt(Vector<CharacterType, inlineCapacity>& vector) { return StringImpl::adopt(vector); }
+    template<typename CharacterType, size_t inlineCapacity, typename OverflowHandler>
+    static String adopt(Vector<CharacterType, inlineCapacity, OverflowHandler>& vector) { return StringImpl::adopt(vector); }
 
     bool isNull() const { return !m_impl; }
     bool isEmpty() const { return !m_impl || !m_impl->length(); }
@@ -543,8 +543,8 @@ inline void swap(String& a, String& b) { a.swap(b); }
 
 // Definitions of string operations
 
-template<size_t inlineCapacity>
-String::String(const Vector<UChar, inlineCapacity>& vector)
+template<size_t inlineCapacity, typename OverflowHandler>
+String::String(const Vector<UChar, inlineCapacity, OverflowHandler>& vector)
     : m_impl(vector.size() ? StringImpl::create(vector.data(), vector.size()) : StringImpl::empty())
 {
 }
index b4d19dd..e2fe490 100644 (file)
@@ -1,3 +1,14 @@
+2013-04-07  Oliver Hunt  <oliver@apple.com>
+
+        Add bounds checking for WTF::Vector::operator[]
+        https://bugs.webkit.org/show_bug.cgi?id=89600
+
+        Reviewed by Filip Pizlo.
+
+        Fix exports
+
+        * WebCore.exp.in:
+
 2013-04-07  Benjamin Poulain  <benjamin@webkit.org>
 
         Do not allocate static AtomicStrings when searching for alternate font names
index 65dd98a..38ad7f8 100644 (file)
@@ -97,7 +97,7 @@ __ZN7WebCore11BitmapImageC1EPNS_13ImageObserverE
 __ZN7WebCore11CachedFrame23cachedFramePlatformDataEv
 __ZN7WebCore11CachedFrame26setCachedFramePlatformDataEN3WTF10PassOwnPtrINS_23CachedFramePlatformDataEEE
 __ZN7WebCore11FileChooser10chooseFileERKN3WTF6StringE
-__ZN7WebCore11FileChooser11chooseFilesERKN3WTF6VectorINS1_6StringELm0EEE
+__ZN7WebCore11FileChooser11chooseFilesERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore11FileChooserD1Ev
 __ZN7WebCore11FrameLoader11loadArchiveEN3WTF10PassRefPtrINS_7ArchiveEEE
 __ZN7WebCore11FrameLoader11shouldCloseEv
@@ -126,9 +126,9 @@ __ZN7WebCore11HistoryItem13setVisitCountEi
 __ZN7WebCore11HistoryItem14addRedirectURLERKN3WTF6StringE
 __ZN7WebCore11HistoryItem14setScrollPointERKNS_8IntPointE
 __ZN7WebCore11HistoryItem15setIsTargetItemEb
-__ZN7WebCore11HistoryItem15setRedirectURLsEN3WTF10PassOwnPtrINS1_6VectorINS1_6StringELm0EEEEE
-__ZN7WebCore11HistoryItem16adoptVisitCountsERN3WTF6VectorIiLm0EEES4_
-__ZN7WebCore11HistoryItem16setDocumentStateERKN3WTF6VectorINS1_6StringELm0EEE
+__ZN7WebCore11HistoryItem15setRedirectURLsEN3WTF10PassOwnPtrINS1_6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEEEE
+__ZN7WebCore11HistoryItem16adoptVisitCountsERN3WTF6VectorIiLm0ENS1_15CrashOnOverflowEEES5_
+__ZN7WebCore11HistoryItem16setDocumentStateERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore11HistoryItem17setAlternateTitleERKN3WTF6StringE
 __ZN7WebCore11HistoryItem18recordInitialVisitEv
 __ZN7WebCore11HistoryItem18setLastVisitedTimeEd
@@ -181,6 +181,7 @@ __ZN7WebCore11memoryCacheEv
 __ZN7WebCore11startOfWordERKNS_15VisiblePositionENS_9EWordSideE
 __ZN7WebCore11writeToFileEiPKci
 __ZN7WebCore12ChromeClient23paintCustomOverhangAreaEPNS_15GraphicsContextERKNS_7IntRectES5_S5_
+__ZN7WebCore12createMarkupEPKNS_5RangeEPN3WTF6VectorIPNS_4NodeELm0ENS3_15CrashOnOverflowEEENS_23EAnnotateForInterchangeEbNS_13EAbsoluteURLsE
 #if ENABLE(CSS3_CONDITIONAL_RULES)
 __ZN7WebCore12DOMWindowCSS6createEv
 #endif
@@ -237,8 +238,6 @@ __ZN7WebCore12TextIterator8subrangeEPNS_5RangeEii
 __ZN7WebCore12TextIteratorC1EPKNS_5RangeENS_20TextIteratorBehaviorE
 __ZN7WebCore12TextIteratorD1Ev
 __ZN7WebCore12cacheStorageEv
-__ZN7WebCore12createMarkupEPKNS_4NodeENS_13EChildrenOnlyEPN3WTF6VectorIPS0_Lm0EEENS_13EAbsoluteURLsEPNS5_INS_13QualifiedNameELm0EEE
-__ZN7WebCore12createMarkupEPKNS_5RangeEPN3WTF6VectorIPNS_4NodeELm0EEENS_23EAnnotateForInterchangeEbNS_13EAbsoluteURLsE
 __ZN7WebCore12deleteCookieERKNS_21NetworkStorageSessionERKNS_4KURLERKN3WTF6StringE
 __ZN7WebCore12gcControllerEv
 __ZN7WebCore12iconDatabaseEv
@@ -271,7 +270,6 @@ __ZN7WebCore13StyledElement22setInlineStylePropertyENS_13CSSPropertyIDEdNS_17CSS
 __ZN7WebCore13cookiesForDOMERKNS_21NetworkStorageSessionERKNS_4KURLES5_
 __ZN7WebCore13createWrapperEPN3JSC9ExecStateEPNS_17JSDOMGlobalObjectEPNS_4NodeE
 __ZN7WebCore13directoryNameERKN3WTF6StringE
-__ZN7WebCore13getRawCookiesERKNS_21NetworkStorageSessionERKNS_4KURLES5_RN3WTF6VectorINS_6CookieELm0EEE
 __ZN7WebCore13toArrayBufferEN3JSC7JSValueE
 __ZN7WebCore13toHTMLElementEPNS_21FormAssociatedElementE
 __ZN7WebCore13toJSDOMWindowEN3JSC7JSValueE
@@ -279,7 +277,7 @@ __ZN7WebCore14CachedResource12removeClientEPNS_20CachedResourceClientE
 __ZN7WebCore14CachedResource16unregisterHandleEPNS_24CachedResourceHandleBaseE
 __ZN7WebCore14CachedResource21tryReplaceEncodedDataEN3WTF10PassRefPtrINS_12SharedBufferEEE
 __ZN7WebCore14CachedResource9addClientEPNS_20CachedResourceClientE
-__ZN7WebCore14ClientRectListC1ERKN3WTF6VectorINS_9FloatQuadELm0EEE
+__ZN7WebCore14ClientRectListC1ERKN3WTF6VectorINS_9FloatQuadELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore14ClientRectListC1Ev
 __ZN7WebCore14ClientRectListD1Ev
 __ZN7WebCore14DocumentLoader10commitDataEPKcm
@@ -290,16 +288,14 @@ __ZN7WebCore14DocumentLoader15detachFromFrameEv
 __ZN7WebCore14DocumentLoader16redirectReceivedEPNS_14CachedResourceERNS_15ResourceRequestERKNS_16ResourceResponseE
 __ZN7WebCore14DocumentLoader16responseReceivedEPNS_14CachedResourceERKNS_16ResourceResponseE
 __ZN7WebCore14DocumentLoader18addArchiveResourceEN3WTF10PassRefPtrINS_15ArchiveResourceEEE
+__ZN7WebCore14FormController22getReferencedFilePathsERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore14ResourceLoader32didCancelAuthenticationChallengeERKNS_23AuthenticationChallengeE
 __ZN7WebCore14cookiesEnabledERKNS_21NetworkStorageSessionERKNS_4KURLES5_
 __ZN7WebCore16ScriptController17javaScriptContextEv
 __ZN7WebCore17setCookiesFromDOMERKNS_21NetworkStorageSessionERKNS_4KURLES5_RKN3WTF6StringE
 __ZN7WebCore21NetworkStorageSession21defaultStorageSessionEv
 __ZN7WebCore21NetworkStorageSession25switchToNewTestingSessionEv
-__ZN7WebCore21SerializedScriptValue11deserializeEPN3JSC9ExecStateEPNS1_14JSGlobalObjectEPN3WTF6VectorINS6_6RefPtrINS_11MessagePortEEELm1EEENS_22SerializationErrorModeE
-__ZN7WebCore21SerializedScriptValue6createEPN3JSC9ExecStateENS1_7JSValueEPN3WTF6VectorINS5_6RefPtrINS_11MessagePortEEELm1EEEPNS6_INS7_INS5_11ArrayBufferEEELm1EEENS_22SerializationErrorModeE
 __ZN7WebCore21SerializedScriptValue6createERKN3WTF6StringE
-__ZN7WebCore21SerializedScriptValueC1ERN3WTF6VectorIhLm0EEE
 __ZN7WebCore4toJSEPN3JSC9ExecStateEPNS_17JSDOMGlobalObjectEPN3WTF11ArrayBufferE
 __ZN7WebCore14DocumentLoader19scheduleArchiveLoadEPNS_14ResourceLoaderERKNS_15ResourceRequestE
 __ZN7WebCore14DocumentLoader21addPlugInStreamLoaderEPNS_14ResourceLoaderE
@@ -314,7 +310,6 @@ __ZN7WebCore14DocumentLoaderC2ERKNS_15ResourceRequestERKNS_14SubstituteDataE
 __ZN7WebCore14DocumentLoaderD2Ev
 __ZN7WebCore14DocumentWriter11setEncodingERKN3WTF6StringEb
 __ZN7WebCore14FileIconLoader14notifyFinishedEN3WTF10PassRefPtrINS_4IconEEE
-__ZN7WebCore14FormController22getReferencedFilePathsERKN3WTF6VectorINS1_6StringELm0EEE
 __ZN7WebCore14FrameSelection10setFocusedEb
 __ZN7WebCore14FrameSelection12setSelectionERKNS_16VisibleSelectionEjNS0_19CursorAlignOnScrollENS_15TextGranularityE
 __ZN7WebCore14FrameSelection15revealSelectionERKNS_15ScrollAlignmentENS_18RevealExtentOptionE
@@ -326,7 +321,7 @@ __ZN7WebCore14FrameSelection6modifyENS0_11EAlterationENS_18SelectionDirectionENS
 __ZN7WebCore14FrameSelection9selectAllEv
 __ZN7WebCore14FrameSelectionC1EPNS_5FrameE
 __ZN7WebCore14LoaderStrategy21resourceLoadSchedulerEv
-__ZN7WebCore14LoaderStrategy25loadResourceSynchronouslyEPNS_17NetworkingContextEmRKNS_15ResourceRequestENS_17StoredCredentialsERNS_13ResourceErrorERNS_16ResourceResponseERN3WTF6VectorIcLm0EEE
+__ZN7WebCore14LoaderStrategy25loadResourceSynchronouslyEPNS_17NetworkingContextEmRKNS_15ResourceRequestENS_17StoredCredentialsERNS_13ResourceErrorERNS_16ResourceResponseERN3WTF6VectorIcLm0ENSB_15CrashOnOverflowEEE
 __ZN7WebCore14PluginDocument10pluginNodeEv
 __ZNK7WebCore5Frame25trackedRepaintRectsAsTextEv
 __ZN7WebCore9FrameView13setNodeToDrawEPNS_4NodeE
@@ -345,7 +340,7 @@ __ZN7WebCore14ResourceBufferD2Ev
 __ZN7WebCore14ResourceHandle20forceContentSniffingEv
 __ZN7WebCore14ResourceHandle23continueWillSendRequestERKNS_15ResourceRequestE
 __ZN7WebCore14ResourceHandle25continueWillCacheResponseEP19NSCachedURLResponse
-__ZN7WebCore14ResourceHandle25loadResourceSynchronouslyEPNS_17NetworkingContextERKNS_15ResourceRequestENS_17StoredCredentialsERNS_13ResourceErrorERNS_16ResourceResponseERN3WTF6VectorIcLm0EEE
+__ZN7WebCore14ResourceHandle25loadResourceSynchronouslyEPNS_17NetworkingContextERKNS_15ResourceRequestENS_17StoredCredentialsERNS_13ResourceErrorERNS_16ResourceResponseERN3WTF6VectorIcLm0ENSB_15CrashOnOverflowEEE
 __ZN7WebCore14ResourceHandle26synchronousLoadRunLoopModeEv
 __ZN7WebCore14ResourceHandle34continueShouldUseCredentialStorageEb
 __ZN7WebCore14ResourceHandle45continueCanAuthenticateAgainstProtectionSpaceEb
@@ -400,7 +395,7 @@ __ZN7WebCore14StorageTracker16syncLocalStorageEv
 __ZN7WebCore14StorageTracker17initializeTrackerERKN3WTF6StringEPNS_20StorageTrackerClientE
 __ZN7WebCore14StorageTracker18diskUsageForOriginEPNS_14SecurityOriginE
 __ZN7WebCore14StorageTracker32syncFileSystemAndTrackerDatabaseEv
-__ZN7WebCore14StorageTracker7originsERN3WTF6VectorINS1_6RefPtrINS_14SecurityOriginEEELm0EEE
+__ZN7WebCore14StorageTracker7originsERN3WTF6VectorINS1_6RefPtrINS_14SecurityOriginEEELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore14StorageTracker7trackerEv
 __ZN7WebCore14StorageTracker9setClientEPNS_20StorageTrackerClientE
 __ZN7WebCore14decodeHostNameEP8NSString
@@ -426,10 +421,10 @@ __ZN7WebCore15DatabaseManager14quotaForOriginEPNS_14SecurityOriginE
 __ZN7WebCore15DatabaseManager14usageForOriginEPNS_14SecurityOriginE
 __ZN7WebCore15DatabaseManager10initializeERKN3WTF6StringE
 __ZN7WebCore15DatabaseManager18deleteAllDatabasesEv
-__ZN7WebCore15DatabaseManager22databaseNamesForOriginEPNS_14SecurityOriginERN3WTF6VectorINS3_6StringELm0EEE
+__ZN7WebCore15DatabaseManager22databaseNamesForOriginEPNS_14SecurityOriginERN3WTF6VectorINS3_6StringELm0ENS3_15CrashOnOverflowEEE
 __ZN7WebCore15DatabaseManager23detailsForNameAndOriginERKN3WTF6StringEPNS_14SecurityOriginE
-__ZN7WebCore15DatabaseManager7originsERN3WTF6VectorINS1_6RefPtrINS_14SecurityOriginEEELm0EEE
 __ZN7WebCore15DatabaseManager7managerEv
+__ZN7WebCore15DatabaseManager7originsERN3WTF6VectorINS1_6RefPtrINS_14SecurityOriginEEELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore15DatabaseManager8setQuotaEPNS_14SecurityOriginEy
 __ZN7WebCore15DatabaseManager9setClientEPNS_21DatabaseManagerClientE
 __ZN7WebCore15FocusController10setFocusedEb
@@ -507,7 +502,7 @@ __ZN7WebCore16IconDatabaseBase28synchronousIconURLForPageURLERKN3WTF6StringE
 __ZN7WebCore16IconDatabaseBase4openERKN3WTF6StringES4_
 __ZN7WebCore16LegacyWebArchive19createFromSelectionEPNS_5FrameE
 __ZN7WebCore16LegacyWebArchive21rawDataRepresentationEv
-__ZN7WebCore16LegacyWebArchive6createEN3WTF10PassRefPtrINS_15ArchiveResourceEEERNS1_6VectorIS4_Lm0EEERNS5_INS2_IS0_EELm0EEE
+__ZN7WebCore16LegacyWebArchive6createEN3WTF10PassRefPtrINS_15ArchiveResourceEEERNS1_6VectorIS4_Lm0ENS1_15CrashOnOverflowEEERNS5_INS2_IS0_EELm0ES6_EE
 __ZN7WebCore16LegacyWebArchive6createEPNS_12SharedBufferE
 __ZN7WebCore16LegacyWebArchive6createEPNS_4NodeEPNS_11FrameFilterE
 __ZN7WebCore16LegacyWebArchive6createEPNS_5FrameE
@@ -579,14 +574,14 @@ __ZN7WebCore18PlatformPasteboard13bufferForTypeERKN3WTF6StringE
 __ZN7WebCore18PlatformPasteboard13stringForTypeERKN3WTF6StringE
 __ZN7WebCore18PlatformPasteboard16setBufferForTypeEN3WTF10PassRefPtrINS_12SharedBufferEEERKNS1_6StringE
 __ZN7WebCore18PlatformPasteboard16setStringForTypeERKN3WTF6StringES4_
-__ZN7WebCore18PlatformPasteboard19getPathnamesForTypeERN3WTF6VectorINS1_6StringELm0EEERKS3_
-__ZN7WebCore18PlatformPasteboard19setPathnamesForTypeERKN3WTF6VectorINS1_6StringELm0EEERKS3_
+__ZN7WebCore18PlatformPasteboard19getPathnamesForTypeERN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEERKS3_
+__ZN7WebCore18PlatformPasteboard19setPathnamesForTypeERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEERKS3_
 __ZN7WebCore18PlatformPasteboard3urlEv
 __ZN7WebCore18PlatformPasteboard4copyERKN3WTF6StringE
 __ZN7WebCore18PlatformPasteboard5colorEv
-__ZN7WebCore18PlatformPasteboard8addTypesERKN3WTF6VectorINS1_6StringELm0EEE
-__ZN7WebCore18PlatformPasteboard8getTypesERN3WTF6VectorINS1_6StringELm0EEE
-__ZN7WebCore18PlatformPasteboard8setTypesERKN3WTF6VectorINS1_6StringELm0EEE
+__ZN7WebCore18PlatformPasteboard8addTypesERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
+__ZN7WebCore18PlatformPasteboard8getTypesERN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
+__ZN7WebCore18PlatformPasteboard8setTypesERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore18PlatformPasteboardC1ERKN3WTF6StringE
 __ZN7WebCore18isStartOfParagraphERKNS_15VisiblePositionENS_27EditingBoundaryCrossingRuleE
 __ZN7WebCore18pluginScriptObjectEPN3JSC9ExecStateEPNS_13JSHTMLElementE
@@ -601,8 +596,8 @@ __ZN7WebCore19BackForwardListImpl11currentItemEv
 __ZN7WebCore19BackForwardListImpl11forwardItemEv
 __ZN7WebCore19BackForwardListImpl11setCapacityEi
 __ZN7WebCore19BackForwardListImpl12containsItemEPNS_11HistoryItemE
-__ZN7WebCore19BackForwardListImpl17backListWithLimitEiRN3WTF6VectorINS1_6RefPtrINS_11HistoryItemEEELm0EEE
-__ZN7WebCore19BackForwardListImpl20forwardListWithLimitEiRN3WTF6VectorINS1_6RefPtrINS_11HistoryItemEEELm0EEE
+__ZN7WebCore19BackForwardListImpl17backListWithLimitEiRN3WTF6VectorINS1_6RefPtrINS_11HistoryItemEEELm0ENS1_15CrashOnOverflowEEE
+__ZN7WebCore19BackForwardListImpl20forwardListWithLimitEiRN3WTF6VectorINS1_6RefPtrINS_11HistoryItemEEELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore19BackForwardListImpl6closedEv
 __ZN7WebCore19BackForwardListImpl6goBackEv
 __ZN7WebCore19BackForwardListImpl7enabledEv
@@ -678,8 +673,10 @@ __ZN7WebCore21ResourceLoadScheduler6removeEPNS_14ResourceLoaderE
 __ZN7WebCore21ResourceLoadSchedulerC2Ev
 __ZN7WebCore21ResourceLoadSchedulerD2Ev
 __ZN7WebCore21SerializedScriptValue11deserializeEPK15OpaqueJSContextPPK13OpaqueJSValue
+__ZN7WebCore21SerializedScriptValue11deserializeEPN3JSC9ExecStateEPNS1_14JSGlobalObjectEPN3WTF6VectorINS6_6RefPtrINS_11MessagePortEEELm1ENS6_15CrashOnOverflowEEENS_22SerializationErrorModeE
 __ZN7WebCore21SerializedScriptValue6createEPK15OpaqueJSContextPK13OpaqueJSValuePS6_
-__ZN7WebCore21SerializedScriptValueC1ERN3WTF6VectorIhLm0EEE
+__ZN7WebCore21SerializedScriptValue6createEPN3JSC9ExecStateENS1_7JSValueEPN3WTF6VectorINS5_6RefPtrINS_11MessagePortEEELm1ENS5_15CrashOnOverflowEEEPNS6_INS7_INS5_11ArrayBufferEEELm1ESA_EENS_22SerializationErrorModeE
+__ZN7WebCore21SerializedScriptValueC1ERN3WTF6VectorIhLm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore21SerializedScriptValueD1Ev
 __ZN7WebCore21URLByRemovingUserInfoEP5NSURL
 __ZN7WebCore21UserContentURLPattern5parseERKN3WTF6StringE
@@ -717,7 +714,7 @@ __ZN7WebCore23ApplicationCacheStorage26storeUpdatedQuotaForOriginEPKNS_14Securit
 __ZN7WebCore23ApplicationCacheStorage5emptyEv
 __ZN7WebCore23AuthenticationChallenge23setAuthenticationClientEPNS_20AuthenticationClientE
 __ZN7WebCore23AuthenticationChallengeC1ERKNS_15ProtectionSpaceERKNS_10CredentialEjRKNS_16ResourceResponseERKNS_13ResourceErrorE
-__ZN7WebCore23createFragmentFromNodesEPNS_8DocumentERKN3WTF6VectorIPNS_4NodeELm0EEE
+__ZN7WebCore23createFragmentFromNodesEPNS_8DocumentERKN3WTF6VectorIPNS_4NodeELm0ENS2_15CrashOnOverflowEEE
 __ZN7WebCore23dataForURLComponentTypeEP5NSURLl
 __ZN7WebCore23decodeHostNameWithRangeEP8NSString8_NSRange
 __ZN7WebCore23encodeHostNameWithRangeEP8NSString8_NSRange
@@ -775,7 +772,7 @@ __ZN7WebCore29cookieRequestHeaderFieldValueERKNS_21NetworkStorageSessionERKNS_4K
 __ZN7WebCore29isCharacterSmartReplaceExemptEib
 __ZN7WebCore30hostNameNeedsDecodingWithRangeEP8NSString8_NSRange
 __ZN7WebCore30hostNameNeedsEncodingWithRangeEP8NSString8_NSRange
-__ZN7WebCore30overrideUserPreferredLanguagesERKN3WTF6VectorINS0_6StringELm0EEE
+__ZN7WebCore30overrideUserPreferredLanguagesERKN3WTF6VectorINS0_6StringELm0ENS0_15CrashOnOverflowEEE
 __ZN7WebCore31CrossOriginPreflightResultCache5emptyEv
 __ZN7WebCore31CrossOriginPreflightResultCache6sharedEv
 __ZN7WebCore33stripLeadingAndTrailingHTMLSpacesERKN3WTF6StringE
@@ -793,7 +790,7 @@ __ZN7WebCore4Font29setDefaultTypesettingFeaturesEj
 __ZN7WebCore4FontC1ERKNS_16FontPlatformDataEbNS_17FontSmoothingModeE
 __ZN7WebCore4FontC1Ev
 __ZN7WebCore4FontaSERKS0_
-__ZN7WebCore4Icon18createIconForFilesERKN3WTF6VectorINS1_6StringELm0EEE
+__ZN7WebCore4Icon18createIconForFilesERKN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore4IconD1Ev
 __ZN7WebCore4KURL10invalidateEv
 __ZN7WebCore4KURLC1ENS_18ParsedURLStringTagERKN3WTF6StringE
@@ -834,7 +831,7 @@ __ZN7WebCore4Page22allVisitedStateChangedEPNS_9PageGroupE
 __ZN7WebCore4Page22nonFastScrollableRectsEPKNS_5FrameE
 __ZN7WebCore4Page22setRubberBandsAtBottomEb
 __ZN7WebCore4Page23clearUndoRedoOperationsEv
-__ZN7WebCore4Page24findStringMatchingRangesERKN3WTF6StringEjiPNS1_6VectorINS1_6RefPtrINS_5RangeEEELm0EEERi
+__ZN7WebCore4Page24findStringMatchingRangesERKN3WTF6StringEjiPNS1_6VectorINS1_6RefPtrINS_5RangeEEELm0ENS1_15CrashOnOverflowEEERi
 __ZN7WebCore4Page24resumeScriptedAnimationsEv
 __ZN7WebCore4Page24scrollingStateTreeAsTextEv
 __ZN7WebCore4Page25suspendScriptedAnimationsEv
@@ -905,7 +902,7 @@ __ZN7WebCore6Editor10findStringERKN3WTF6StringEj
 __ZN7WebCore6Editor10insertTextERKN3WTF6StringEPNS_5EventE
 __ZN7WebCore6Editor13performDeleteEv
 __ZN7WebCore6Editor13rangeForPointERKNS_8IntPointE
-__ZN7WebCore6Editor14setCompositionERKN3WTF6StringERKNS1_6VectorINS_20CompositionUnderlineELm0EEEjj
+__ZN7WebCore6Editor14setCompositionERKN3WTF6StringERKNS1_6VectorINS_20CompositionUnderlineELm0ENS1_15CrashOnOverflowEEEjj
 __ZN7WebCore6Editor14simplifyMarkupEPNS_4NodeES2_
 __ZN7WebCore6Editor15pasteAsFragmentEN3WTF10PassRefPtrINS_16DocumentFragmentEEEbb
 __ZN7WebCore6Editor16pasteAsPlainTextEv
@@ -913,7 +910,8 @@ __ZN7WebCore6Editor17cancelCompositionEv
 __ZN7WebCore6Editor17insertOrderedListEv
 __ZN7WebCore6Editor18confirmCompositionERKN3WTF6StringE
 __ZN7WebCore6Editor18confirmCompositionEv
-__ZN7WebCore6Editor18insertDictatedTextERKN3WTF6StringERKNS1_6VectorINS_20DictationAlternativeELm0EEEPNS_5EventE
+__ZN7WebCore6Editor18insertDictatedTextERKN3WTF6StringERKNS1_6VectorINS_20DictationAlternativeELm0ENS1_15CrashOnOverflowEEEPNS_5EventE
+__ZN7WebCore6Editor19countMatchesForTextERKN3WTF6StringEPNS_5RangeEjjbPNS1_6VectorINS1_6RefPtrIS5_EELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore6Editor19deleteWithDirectionENS_18SelectionDirectionENS_15TextGranularityEbb
 __ZN7WebCore6Editor19insertUnorderedListEv
 __ZN7WebCore6Editor21applyStyleToSelectionEPNS_16StylePropertySetENS_10EditActionE
@@ -943,7 +941,6 @@ __ZN7WebCore6Editor6indentEv
 __ZN7WebCore6Editor7CommandC1Ev
 __ZN7WebCore6Editor7commandERKN3WTF6StringE
 __ZN7WebCore6Editor7outdentEv
-__ZN7WebCore6Editor19countMatchesForTextERKN3WTF6StringEPNS_5RangeEjjbPNS1_6VectorINS1_6RefPtrIS5_EELm0EEE
 __ZN7WebCore6JSNode6s_infoE
 __ZN7WebCore6Region5uniteERKS0_
 __ZN7WebCore6Region8subtractERKS0_
@@ -1002,7 +999,7 @@ __ZN7WebCore8Document13createElementERKNS_13QualifiedNameEb
 __ZN7WebCore8Document14createTextNodeERKN3WTF6StringE
 __ZN7WebCore8Document14setFocusedNodeEN3WTF10PassRefPtrINS_4NodeEEENS_14FocusDirectionE
 __ZN7WebCore8Document16isPageBoxVisibleEi
-__ZN7WebCore8Document17getFocusableNodesERN3WTF6VectorINS1_6RefPtrINS_4NodeEEELm0EEE
+__ZN7WebCore8Document17getFocusableNodesERN3WTF6VectorINS1_6RefPtrINS_4NodeEEELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore8Document20styleResolverChangedENS_23StyleResolverUpdateFlagE
 __ZN7WebCore8Document22createDocumentFragmentEv
 __ZN7WebCore8Document23didAddWheelEventHandlerEv
@@ -1071,7 +1068,7 @@ __ZN7WebCore8Settings30setShowTiledScrollingIndicatorEb
 __ZN7WebCore8blankURLEv
 __ZN7WebCore8makeRGBAEiiii
 __ZN7WebCore8openFileERKN3WTF6StringENS_12FileOpenModeE
-__ZN7WebCore8toStringERKN3WTF6VectorINS_11ProxyServerELm0EEE
+__ZN7WebCore8toStringERKN3WTF6VectorINS_11ProxyServerELm0ENS0_15CrashOnOverflowEEE
 __ZN7WebCore8toUInt64EPN3JSC9ExecStateENS0_7JSValueENS_30IntegerConversionConfigurationE
 __ZN7WebCore9DOMWindow30dispatchAllPendingUnloadEventsEv
 __ZN7WebCore9DOMWindow36dispatchAllPendingBeforeUnloadEventsEv
@@ -1169,10 +1166,10 @@ __ZN7WebCore9PageGroup14addVisitedLinkEPKtm
 __ZN7WebCore9PageGroup17closeLocalStorageEv
 __ZN7WebCore9PageGroup18addVisitedLinkHashEy
 __ZN7WebCore9PageGroup18numberOfPageGroupsEv
-__ZN7WebCore9PageGroup20addUserScriptToWorldEPNS_15DOMWrapperWorldERKN3WTF6StringERKNS_4KURLERKNS3_6VectorIS4_Lm0EEESD_NS_23UserScriptInjectionTimeENS_25UserContentInjectedFramesE
 __ZN7WebCore9PageGroup20removeAllUserContentEv
+__ZN7WebCore9PageGroup20addUserScriptToWorldEPNS_15DOMWrapperWorldERKN3WTF6StringERKNS_4KURLERKNS3_6VectorIS4_Lm0ENS3_15CrashOnOverflowEEESE_NS_23UserScriptInjectionTimeENS_25UserContentInjectedFramesE
 __ZN7WebCore9PageGroup21removeAllVisitedLinksEv
-__ZN7WebCore9PageGroup24addUserStyleSheetToWorldEPNS_15DOMWrapperWorldERKN3WTF6StringERKNS_4KURLERKNS3_6VectorIS4_Lm0EEESD_NS_25UserContentInjectedFramesENS_14UserStyleLevelENS_22UserStyleInjectionTimeE
+__ZN7WebCore9PageGroup24addUserStyleSheetToWorldEPNS_15DOMWrapperWorldERKN3WTF6StringERKNS_4KURLERKNS3_6VectorIS4_Lm0ENS3_15CrashOnOverflowEEESE_NS_25UserContentInjectedFramesENS_14UserStyleLevelENS_22UserStyleInjectionTimeE
 __ZN7WebCore9PageGroup25removeUserScriptFromWorldEPNS_15DOMWrapperWorldERKNS_4KURLE
 __ZN7WebCore9PageGroup26removeUserScriptsFromWorldEPNS_15DOMWrapperWorldE
 __ZN7WebCore9PageGroup26setShouldTrackVisitedLinksEb
@@ -1200,7 +1197,7 @@ __ZN7WebCore9makeRangeERKNS_15VisiblePositionES2_
 __ZN7WebCore9pageCacheEv
 __ZN7WebCore9plainTextEPKNS_5RangeENS_20TextIteratorBehaviorEb
 __ZN7WebCore9toElementEN3JSC7JSValueE
-__ZN7WebCore9unionRectERKN3WTF6VectorINS_9FloatRectELm0EEE
+__ZN7WebCore9unionRectERKN3WTF6VectorINS_9FloatRectELm0ENS0_15CrashOnOverflowEEE
 __ZNK3JSC8Bindings10RootObject12globalObjectEv
 __ZNK3WTF6String14createCFStringEv
 __ZNK7WebCore10Credential11hasPasswordEv
@@ -1311,7 +1308,7 @@ __ZNK7WebCore14DocumentLoader11subresourceERKNS_4KURLE
 __ZNK7WebCore14DocumentLoader12mainResourceEv
 __ZNK7WebCore14DocumentLoader13urlForHistoryEv
 __ZNK7WebCore14DocumentLoader14unreachableURLEv
-__ZNK7WebCore14DocumentLoader15getSubresourcesERN3WTF6VectorINS1_10PassRefPtrINS_15ArchiveResourceEEELm0EEE
+__ZNK7WebCore14DocumentLoader15getSubresourcesERN3WTF6VectorINS1_10PassRefPtrINS_15ArchiveResourceEEELm0ENS1_15CrashOnOverflowEEE
 __ZNK7WebCore14DocumentLoader15originalRequestEv
 __ZNK7WebCore14DocumentLoader16mainResourceDataEv
 __ZNK7WebCore14DocumentLoader17parsedArchiveDataEv
@@ -1327,7 +1324,7 @@ __ZNK7WebCore14FrameSelection11currentFormEv
 __ZNK7WebCore14FrameSelection15copyTypingStyleEv
 __ZNK7WebCore14FrameSelection17isInPasswordFieldEv
 __ZNK7WebCore14FrameSelection18isFocusedAndActiveEv
-__ZNK7WebCore14FrameSelection31getClippedVisibleTextRectanglesERN3WTF6VectorINS_9FloatRectELm0EEE
+__ZNK7WebCore14FrameSelection31getClippedVisibleTextRectanglesERN3WTF6VectorINS_9FloatRectELm0ENS1_15CrashOnOverflowEEE
 __ZNK7WebCore14FrameSelection36rootEditableElementOrDocumentElementEv
 __ZNK7WebCore14FrameSelection6boundsEb
 __ZNK7WebCore14InsertionPoint19getDistributedNodesEv
@@ -1471,7 +1468,7 @@ __ZNK7WebCore4Page17viewportArgumentsEv
 __ZNK7WebCore4Page34inLowQualityImageInterpolationModeEv
 __ZNK7WebCore4Page9groupNameEv
 __ZNK7WebCore4Page9pageCountEv
-__ZNK7WebCore4Node9textRectsERN3WTF6VectorINS_7IntRectELm0EEE
+__ZNK7WebCore4Node9textRectsERN3WTF6VectorINS_7IntRectELm0ENS1_15CrashOnOverflowEEE
 __ZNK7WebCore5Color7getRGBAERdS1_S1_S1_
 __ZNK7WebCore5Color10serializedEv
 __ZNK7WebCore5Frame13ownerRendererEv
@@ -1492,8 +1489,8 @@ __ZNK7WebCore5Range4textEv
 __ZNK7WebCore5Range9collapsedERi
 __ZNK7WebCore5Range9endOffsetERi
 __ZNK7WebCore5Range9firstNodeEv
-__ZNK7WebCore5Range9textQuadsERN3WTF6VectorINS_9FloatQuadELm0EEEbPNS0_20RangeInFixedPositionE
-__ZNK7WebCore5Range9textRectsERN3WTF6VectorINS_7IntRectELm0EEEbPNS0_20RangeInFixedPositionE
+__ZNK7WebCore5Range9textRectsERN3WTF6VectorINS_7IntRectELm0ENS1_15CrashOnOverflowEEEbPNS0_20RangeInFixedPositionE
+__ZNK7WebCore5Range9textQuadsERN3WTF6VectorINS_9FloatQuadELm0ENS1_15CrashOnOverflowEEEbPNS0_20RangeInFixedPositionE
 __ZNK7WebCore6Chrome12createWindowEPNS_5FrameERKNS_16FrameLoadRequestERKNS_14WindowFeaturesERKNS_16NavigationActionE
 __ZNK7WebCore6Editor12selectedTextEv
 __ZNK7WebCore6Editor13canEditRichlyEv
@@ -1766,6 +1763,7 @@ __ZN7WebCore12EventHandler8keyEventEP7NSEvent
 __ZN7WebCore12EventHandler9mouseDownEP7NSEvent
 __ZN7WebCore12PopupMenuMacC1EPNS_15PopupMenuClientE
 __ZN7WebCore13toDeviceSpaceERKNS_9FloatRectEP8NSWindow
+__ZN7WebCore13getRawCookiesERKNS_21NetworkStorageSessionERKNS_4KURLES5_RN3WTF6VectorINS_6CookieELm0ENS6_15CrashOnOverflowEEE
 __ZN7WebCore15GraphicsContextC1EP9CGContext
 __ZN7WebCore15GraphicsContext15drawNativeImageEP7CGImageRKNS_9FloatSizeENS_10ColorSpaceERKNS_9FloatRectES9_NS_17CompositeOperatorENS_9BlendModeENS_16ImageOrientationE
 __ZN7WebCore15ResourceRequest39updateFromDelegatePreservingOldHTTPBodyERKS0_
@@ -1831,6 +1829,7 @@ __ZN7WebCore31contextMenuItemTagMakeLowerCaseEv
 __ZN7WebCore31contextMenuItemTagMakeUpperCaseEv
 __ZN7WebCore31contextMenuItemTagStartSpeakingEv
 __ZN7WebCore32applicationIsAOLInstantMessengerEv
+__ZN7WebCore32collectDictationTextAlternativesEP18NSAttributedStringRN3WTF6VectorINS_24TextAlternativeWithRangeELm0ENS2_15CrashOnOverflowEEE
 __ZN7WebCore32contextMenuItemTagInspectElementEv
 __ZN7WebCore32contextMenuItemTagSmartCopyPasteEv
 __ZN7WebCore33postScriptDocumentTypeDescriptionEv
@@ -1856,7 +1855,6 @@ __ZN7WebCore6Editor13canDHTMLPasteEv
 __ZN7WebCore6Editor13tryDHTMLPasteEv
 __ZN7WebCore6Editor24advanceToNextMisspellingEb
 __ZN7WebCore6Editor26dataSelectionForPasteboardERKN3WTF6StringE
-__ZN7WebCore6Editor26writeSelectionToPasteboardERKN3WTF6StringERKNS1_6VectorIS2_Lm0EEE
 __ZN7WebCore6Editor27readSelectionFromPasteboardERKN3WTF6StringE
 __ZN7WebCore6Editor28stringSelectionForPasteboardEv
 __ZN7WebCore6Widget17setPlatformWidgetEP6NSView
@@ -2016,7 +2014,6 @@ __ZN7WebCore10inSameLineERKNS_15VisiblePositionES2_
 __ZN7WebCore11BidiContext41copyStackRemovingUnicodeEmbeddingContextsEv
 __ZN7WebCore11BidiContext6createEhN3WTF7Unicode9DirectionEbNS_19BidiEmbeddingSourceEPS0_
 __ZN7WebCore11EditCommand18setEndingSelectionERKNS_16VisibleSelectionE
-__ZN7WebCore11FileChooser16chooseMediaFilesERKN3WTF6VectorINS1_6StringELm0EEERKS3_PNS_4IconE
 __ZN7WebCore11ImageSource26s_acceleratedImageDecodingE
 __ZN7WebCore11ImageSource33maximumImageSizeBeforeSubsamplingEv
 __ZN7WebCore11ImageSource36setMaximumImageSizeBeforeSubsamplingEj
@@ -2143,15 +2140,12 @@ __ZN7WebCore5Frame43setRangedSelectionBaseToCurrentSelectionEndEv
 __ZN7WebCore5Frame45setRangedSelectionBaseToCurrentSelectionStartEv
 __ZN7WebCore5Frame52setRangedSelectionInitialExtentToCurrentSelectionEndEv
 __ZN7WebCore5Frame54setRangedSelectionInitialExtentToCurrentSelectionStartEv
-__ZN7WebCore5Range21collectSelectionRectsERN3WTF6VectorINS_13SelectionRectELm0EEE
 __ZN7WebCore5Range6createEN3WTF10PassRefPtrINS_8DocumentEEERKNS_15VisiblePositionES7_
 __ZN7WebCore5Range6createEN3WTF10PassRefPtrINS_8DocumentEEERKNS_8PositionES7_
 __ZN7WebCore6Chrome11focusNSViewEP7WAKView
 __ZN7WebCore6Editor17confirmMarkedTextEv
-__ZN7WebCore6Editor22insertDictationPhrasesEN3WTF10PassOwnPtrINS1_6VectorINS3_INS1_6StringELm0EEELm0EEEEENS1_9RetainPtrIP11objc_objectEE
 __ZN7WebCore6Editor23setTextAsChildOfElementERKN3WTF6StringEPNS_7ElementE
 __ZN7WebCore6Editor33markMisspellingsAfterTypingToWordERKNS_15VisiblePositionERKNS_16VisibleSelectionEb
-__ZN7WebCore6Editor35setDictationPhrasesAsChildOfElementEN3WTF10PassOwnPtrINS1_6VectorINS3_INS1_6StringELm0EEELm0EEEEENS1_9RetainPtrIP11objc_objectEEPNS_7ElementE
 __ZN7WebCore6Editor46setTextAlignmentForChangedBaseWritingDirectionE16WritingDirection
 __ZN7WebCore6Editor59ensureLastEditCommandHasCurrentSelectionIfOpenForMoreTypingEv
 __ZN7WebCore6WidgetC2EP7WAKView
@@ -2169,6 +2163,8 @@ __ZN7WebCore9FrameView30graphicsLayerForPlatformWidgetEP7WAKView
 __ZN7WebCore9FrameView32setCustomFixedPositionLayoutRectERKNS_7IntRectE
 __ZN7WebCore9FrameView35setUseCustomFixedPositionLayoutRectEb
 __ZN7WebCore9PageGroup17removeVisitedLinkERKNS_4KURLE
+__ZN7WebCore9PageGroup20addUserScriptToWorldEPNS_15DOMWrapperWorldERKN3WTF6StringERKNS_4KURLERKNS3_6VectorIS4_Lm0ENS3_15CrashOnOverflowEEESE_NS_23UserScriptInjectionTimeENS_25UserContentInjectedFramesE
+__ZN7WebCore9PageGroup24addUserStyleSheetToWorldEPNS_15DOMWrapperWorldERKN3WTF6StringERKNS_4KURLERKNS3_6VectorIS4_Lm0ENS3_15CrashOnOverflowEEESE_NS_25UserContentInjectedFramesENS_14UserStyleLevelENS_22UserStyleInjectionTimeE
 __ZN7WebCore9TileCache14drainLayerPoolEv
 __ZN7WebCore9TileCache20setLayerPoolCapacityEj
 __ZN7WebCore9endOfLineERKNS_15VisiblePositionE
@@ -2291,7 +2287,7 @@ _WebCoreHas3DRendering
 #endif
 
 #if USE(ACCELERATED_COMPOSITING)
-__ZN7WebCore13GraphicsLayer11setChildrenERKN3WTF6VectorIPS0_Lm0EEE
+__ZN7WebCore13GraphicsLayer11setChildrenERKN3WTF6VectorIPS0_Lm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore13GraphicsLayer12replaceChildEPS0_S1_
 __ZN7WebCore13GraphicsLayer12setZPositionEf
 __ZN7WebCore13GraphicsLayer13addChildAboveEPS0_S1_
@@ -2370,7 +2366,6 @@ __ZTVN7WebCore16BlobRegistryImplE
 __ZN7WebCore11ContextMenu22setPlatformDescriptionEP14NSMutableArray
 __ZN7WebCore12EventHandler20sendContextMenuEventERKNS_18PlatformMouseEventE
 __ZN7WebCore15ContextMenuItem26releasePlatformDescriptionEv
-__ZN7WebCore15ContextMenuItemC1ENS_17ContextMenuActionERKN3WTF6StringEbbRNS2_6VectorIS0_Lm0EEE
 __ZN7WebCore15ContextMenuItemC1ENS_19ContextMenuItemTypeENS_17ContextMenuActionERKN3WTF6StringEPNS_11ContextMenuE
 __ZN7WebCore15ContextMenuItemC1ENS_19ContextMenuItemTypeENS_17ContextMenuActionERKN3WTF6StringEbb
 __ZN7WebCore15ContextMenuItemC1EP10NSMenuItem
@@ -2379,7 +2374,6 @@ __ZN7WebCore21ContextMenuController16clearContextMenuEv
 __ZNK7WebCore21ContextMenuController21checkOrEnableIfNeededERNS_15ContextMenuItemE
 __ZN7WebCore21ContextMenuController23contextMenuItemSelectedEPNS_15ContextMenuItemE
 __ZN7WebCore21contextMenuItemVectorEP14NSMutableArray
-__ZN7WebCore23platformMenuDescriptionERN3WTF6VectorINS_15ContextMenuItemELm0EEE
 __ZNK7WebCore11ContextMenu19platformDescriptionEv
 __ZNK7WebCore15ContextMenuItem15platformSubMenuEv
 __ZNK7WebCore15ContextMenuItem4typeEv
@@ -2675,7 +2669,7 @@ __ZN7WebCore16HTMLMediaElement14beginScrubbingEv
 __ZN7WebCore16HTMLMediaElement14exitFullscreenEv
 __ZN7WebCore16HTMLMediaElement14setCurrentTimeEfRi
 __ZN7WebCore16HTMLMediaElement15clearMediaCacheEv
-__ZN7WebCore16HTMLMediaElement20getSitesInMediaCacheERN3WTF6VectorINS1_6StringELm0EEE
+__ZN7WebCore16HTMLMediaElement20getSitesInMediaCacheERN3WTF6VectorINS1_6StringELm0ENS1_15CrashOnOverflowEEE
 __ZN7WebCore16HTMLMediaElement22clearMediaCacheForSiteERKN3WTF6StringE
 __ZN7WebCore16HTMLMediaElement4playEv
 __ZN7WebCore16HTMLMediaElement5pauseEv
@@ -2715,7 +2709,6 @@ __ZN7WebCore27AlternativeTextUIController19dismissAlternativesEv
 __ZN7WebCore27AlternativeTextUIController18removeAlternativesEy
 __ZN7WebCore27AlternativeTextUIController16showAlternativesEP6NSViewRKNS_9FloatRectEyU13block_pointerFvP8NSStringE
 __ZN7WebCore24TextAlternativeWithRangeC1EP18NSTextAlternatives8_NSRange
-__ZN7WebCore32collectDictationTextAlternativesEP18NSAttributedStringRN3WTF6VectorINS_24TextAlternativeWithRangeELm0EEE
 #endif
 
 #if ENABLE(SHADOW_DOM)