Skip to site navigation (Press enter)

[webkit-changes] [273175] branches/safari-611-branch/Source/JavaScriptCore

alancoon Fri, 19 Feb 2021 15:38:34 -0800

Title: [273175] branches/safari-611-branch/Source/_javascript_Core

Revision: 273175
Author: alanc...@apple.com
Date: 2021-02-19 15:37:55 -0800 (Fri, 19 Feb 2021)

Log Message

Cherry-pick r272938. rdar://problem/74500752


    operationNewArrayWithSize should call tryCreate instead of create
    https://bugs.webkit.org/show_bug.cgi?id=221983
    <rdar://74265630>

    Reviewed by Mark Lam.

    I disassembled crashlogs inside operationNewArrayWithSize. They are crashing
    inside array allocation. They are crashing on OOM. By code inspection,
    operationNewArrayWithSizeAndHint has the same problem.

    Callsites to both functions already handle exceptions being thrown, so
    converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint
    to throw instead of crash on OOM is trivial.

    I wasn't able to come up with a test case for this.

    * dfg/DFGOperations.cpp:
    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
    * runtime/ObjectConstructor.cpp:
    (JSC::ownPropertyKeys):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272938 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-611-branch/Source/_javascript_Core/ChangeLog
branches/safari-611-branch/Source/_javascript_Core/dfg/DFGOperations.cpp
branches/safari-611-branch/Source/_javascript_Core/runtime/ObjectConstructor.cpp

Diff

Modified: branches/safari-611-branch/Source/_javascript_Core/ChangeLog (273174 => 273175)


--- branches/safari-611-branch/Source/_javascript_Core/ChangeLog	2021-02-19 23:37:52 UTC (rev 273174)
+++ branches/safari-611-branch/Source/_javascript_Core/ChangeLog	2021-02-19 23:37:55 UTC (rev 273175)
@@ -1,3 +1,54 @@
+2021-02-19  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r272938. rdar://problem/74500752
+
+    operationNewArrayWithSize should call tryCreate instead of create
+    https://bugs.webkit.org/show_bug.cgi?id=221983
+    <rdar://74265630>
+    
+    Reviewed by Mark Lam.
+    
+    I disassembled crashlogs inside operationNewArrayWithSize. They are crashing
+    inside array allocation. They are crashing on OOM. By code inspection,
+    operationNewArrayWithSizeAndHint has the same problem.
+    
+    Callsites to both functions already handle exceptions being thrown, so
+    converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint
+    to throw instead of crash on OOM is trivial.
+    
+    I wasn't able to come up with a test case for this.
+    
+    * dfg/DFGOperations.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * runtime/ObjectConstructor.cpp:
+    (JSC::ownPropertyKeys):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272938 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-02-16  Saam Barati  <sbar...@apple.com>
+
+            operationNewArrayWithSize should call tryCreate instead of create
+            https://bugs.webkit.org/show_bug.cgi?id=221983
+            <rdar://74265630>
+
+            Reviewed by Mark Lam.
+
+            I disassembled crashlogs inside operationNewArrayWithSize. They are crashing
+            inside array allocation. They are crashing on OOM. By code inspection,
+            operationNewArrayWithSizeAndHint has the same problem.
+
+            Callsites to both functions already handle exceptions being thrown, so
+            converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint
+            to throw instead of crash on OOM is trivial.
+
+            I wasn't able to come up with a test case for this.
+
+            * dfg/DFGOperations.cpp:
+            (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+            * runtime/ObjectConstructor.cpp:
+            (JSC::ownPropertyKeys):
+
 2021-02-16  Ruben Turcios  <rubent...@apple.com>
 
         Cherry-pick r272685. rdar://problem/74410538

Modified: branches/safari-611-branch/Source/_javascript_Core/dfg/DFGOperations.cpp (273174 => 273175)


--- branches/safari-611-branch/Source/_javascript_Core/dfg/DFGOperations.cpp	2021-02-19 23:37:52 UTC (rev 273174)
+++ branches/safari-611-branch/Source/_javascript_Core/dfg/DFGOperations.cpp	2021-02-19 23:37:55 UTC (rev 273175)
@@ -1753,14 +1753,21 @@
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (UNLIKELY(size < 0))
-        return bitwise_cast<char*>(throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s)));
+    if (UNLIKELY(size < 0)) {
+        throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s));
+        return nullptr;
+    }
 
     JSArray* result;
     if (butterfly)
         result = JSArray::createWithButterfly(vm, nullptr, arrayStructure, butterfly);
-    else
-        result = JSArray::create(vm, arrayStructure, size);
+    else {
+        result = JSArray::tryCreate(vm, arrayStructure, size);
+        if (UNLIKELY(!result)) {
+            throwOutOfMemoryError(globalObject, scope);
+            return nullptr;
+        }
+    }
     return bitwise_cast<char*>(result);
 }
 
@@ -1771,8 +1778,10 @@
     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (UNLIKELY(size < 0))
-        return bitwise_cast<char*>(throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s)));
+    if (UNLIKELY(size < 0)) {
+        throwException(globalObject, scope, createRangeError(globalObject, "Array size is not a small enough positive integer."_s));
+        return nullptr;
+    }
 
     JSArray* result;
     if (butterfly)
@@ -1779,7 +1788,10 @@
         result = JSArray::createWithButterfly(vm, nullptr, arrayStructure, butterfly);
     else {
         result = JSArray::tryCreate(vm, arrayStructure, size, vectorLengthHint);
-        RELEASE_ASSERT(result);
+        if (UNLIKELY(!result)) {
+            throwOutOfMemoryError(globalObject, scope);
+            return nullptr;
+        }
     }
     return bitwise_cast<char*>(result);
 }

Modified: branches/safari-611-branch/Source/_javascript_Core/runtime/ObjectConstructor.cpp (273174 => 273175)


--- branches/safari-611-branch/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2021-02-19 23:37:52 UTC (rev 273174)
+++ branches/safari-611-branch/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2021-02-19 23:37:55 UTC (rev 273175)
@@ -908,6 +908,8 @@
                 }
 
                 size_t numProperties = properties.size();
+                // FIXME: We should probably be calling tryCreate here:
+                // https://bugs.webkit.org/show_bug.cgi?id=221984
                 JSArray* keys = JSArray::create(vm, globalObject->originalArrayStructureForIndexingType(ArrayWithContiguous), numProperties);
                 WriteBarrier<Unknown>* buffer = keys->butterfly()->contiguous().data();
                 for (size_t i = 0; i < numProperties; i++) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes