[webkit-changes] [136536] trunk/Source/JavaScriptCore

[fpizlo]

Title: [136536] trunk/Source/_javascript_Core

Revision

136536

Author

fpi...@apple.com

Date

2012-12-04 11:25:38 -0800 (Tue, 04 Dec 2012)

Log Message

jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
https://bugs.webkit.org/show_bug.cgi?id=104020
<rdar://problem/12802478>

Reviewed by Mark Hahnenberg.

Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
and that is indeed the contract of ArrayBuffer and TypedArrayBase.

* JSCTypedArrayStubs.h:
(JSC):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/JSCTypedArrayStubs.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (136535 => 136536)

--- trunk/Source/_javascript_Core/ChangeLog	2012-12-04 19:21:28 UTC (rev 136535)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-12-04 19:25:38 UTC (rev 136536)
@@ -1,3 +1,17 @@
+2012-12-04  Filip Pizlo  <fpi...@apple.com>
+
+        jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
+        https://bugs.webkit.org/show_bug.cgi?id=104020
+        <rdar://problem/12802478>
+
+        Reviewed by Mark Hahnenberg.
+
+        Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
+        and that is indeed the contract of ArrayBuffer and TypedArrayBase.
+
+        * JSCTypedArrayStubs.h:
+        (JSC):
+
 2012-12-03  Peter Rybin  <pry...@chromium.org>
 
         Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful

Modified: trunk/Source/_javascript_Core/JSCTypedArrayStubs.h (136535 => 136536)

--- trunk/Source/_javascript_Core/JSCTypedArrayStubs.h	2012-12-04 19:21:28 UTC (rev 136535)
+++ trunk/Source/_javascript_Core/JSCTypedArrayStubs.h	2012-12-04 19:25:38 UTC (rev 136536)
@@ -184,7 +184,10 @@
     if (length < 0) \
         return JSValue::encode(jsUndefined()); \
     Structure* structure = JS##name##Array::createStructure(callFrame->globalData(), callFrame->lexicalGlobalObject(), callFrame->lexicalGlobalObject()->objectPrototype()); \
-    return JSValue::encode(JS##name##Array::create(structure, callFrame->lexicalGlobalObject(), name##Array::create(length)));\
+    RefPtr<name##Array> buffer = name##Array::create(length); \
+    if (!buffer) \
+        return throwVMError(callFrame, createRangeError(callFrame, "ArrayBuffer size is not a small enough positive integer.")); \
+    return JSValue::encode(JS##name##Array::create(structure, callFrame->lexicalGlobalObject(), buffer.release())); \
 }
 
 TYPED_ARRAY(Uint8, uint8_t);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes