Skip to site navigation (Press enter)

[webkit-changes] [148130] trunk

msaboff Wed, 10 Apr 2013 12:59:24 -0700

Title: [148130] trunk

Revision: 148130
Author: msab...@apple.com
Date: 2013-04-10 13:01:14 -0700 (Wed, 10 Apr 2013)

Log Message

DFG: Negative size for new Array() interpreted as large unsigned int
https://bugs.webkit.org/show_bug.cgi?id=114366


Reviewed by Oliver Hunt.

Source/_javascript_Core:

Added new check in operationNewArrayWithSize() for a negative
size.  If size is negative throw a "RangeError: Array size is not a
small enough positive integer" exception.

* dfg/DFGOperations.cpp:

LayoutTests:

New test to make sure DFG generated code for new Array() with a
computed negative size throws an exception.

* fast/js/dfg-negative-array-size-expected.txt: Added.
* fast/js/dfg-negative-array-size.html: Added.
* fast/js/script-tests/dfg-negative-array-size.js: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp

Added Paths

trunk/LayoutTests/fast/js/dfg-negative-array-size-expected.txt
trunk/LayoutTests/fast/js/dfg-negative-array-size.html
trunk/LayoutTests/fast/js/script-tests/dfg-negative-array-size.js

Diff

Modified: trunk/LayoutTests/ChangeLog (148129 => 148130)


--- trunk/LayoutTests/ChangeLog	2013-04-10 19:56:23 UTC (rev 148129)
+++ trunk/LayoutTests/ChangeLog	2013-04-10 20:01:14 UTC (rev 148130)
@@ -1,3 +1,17 @@
+2013-04-10  Michael Saboff  <msab...@apple.com>
+
+        DFG: Negative size for new Array() interpreted as large unsigned int
+        https://bugs.webkit.org/show_bug.cgi?id=114366
+
+        Reviewed by Oliver Hunt.
+
+        New test to make sure DFG generated code for new Array() with a
+        computed negative size throws an exception.
+
+        * fast/js/dfg-negative-array-size-expected.txt: Added.
+        * fast/js/dfg-negative-array-size.html: Added.
+        * fast/js/script-tests/dfg-negative-array-size.js: Added.
+
 2013-04-10  Robert Hogan  <rob...@webkit.org>
 
         Empty inline continuations should only get lineboxes if the padding applies to their side of the inline

Added: trunk/LayoutTests/fast/js/dfg-negative-array-size-expected.txt (0 => 148130)


--- trunk/LayoutTests/fast/js/dfg-negative-array-size-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-negative-array-size-expected.txt	2013-04-10 20:01:14 UTC (rev 148130)
@@ -0,0 +1,10 @@
+Tests that creating an array with a negative size throws an exception.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo() threw exception RangeError: Array size is not a small enough positive integer..
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-negative-array-size.html (0 => 148130)


--- trunk/LayoutTests/fast/js/dfg-negative-array-size.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-negative-array-size.html	2013-04-10 20:01:14 UTC (rev 148130)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/dfg-negative-array-size.js (0 => 148130)


--- trunk/LayoutTests/fast/js/script-tests/dfg-negative-array-size.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-negative-array-size.js	2013-04-10 20:01:14 UTC (rev 148130)
@@ -0,0 +1,23 @@
+description(
+"Tests that creating an array with a negative size throws an exception."
+);
+
+function foo() {
+    var totalLength = 0;
+
+    for (var i = 1; i < 6000; ++i) {
+        var j = (i > 4000) ? 2 : 0;
+        var a = new Array(1 - j);
+
+        if (a.length > 2147483647)
+            break;
+
+        totalLength += a.length;
+    }
+
+    return totalLength;
+}
+
+shouldThrow("foo()", undefined);
+
+

Modified: trunk/Source/_javascript_Core/ChangeLog (148129 => 148130)


--- trunk/Source/_javascript_Core/ChangeLog	2013-04-10 19:56:23 UTC (rev 148129)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-04-10 20:01:14 UTC (rev 148130)
@@ -1,3 +1,16 @@
+2013-04-10  Michael Saboff  <msab...@apple.com>
+
+        DFG: Negative size for new Array() interpreted as large unsigned int
+        https://bugs.webkit.org/show_bug.cgi?id=114366
+
+        Reviewed by Oliver Hunt.
+
+        Added new check in operationNewArrayWithSize() for a negative
+        size.  If size is negative throw a "RangeError: Array size is not a
+        small enough positive integer" exception.
+
+        * dfg/DFGOperations.cpp:
+
 2013-04-10  pe...@outlook.com  <pe...@outlook.com>
 
         WinCairo build fails to link.

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (148129 => 148130)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2013-04-10 19:56:23 UTC (rev 148129)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2013-04-10 20:01:14 UTC (rev 148130)
@@ -1291,7 +1291,10 @@
 {
     JSGlobalData* globalData = &exec->globalData();
     NativeCallFrameTracer tracer(globalData, exec);
-    
+
+    if (size < 0)
+        return bitwise_cast<char*>(throwError(exec, createRangeError(exec, ASCIILiteral("Array size is not a small enough positive integer."))));
+
     return bitwise_cast<char*>(JSArray::create(*globalData, arrayStructure, size));
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes