[webkit-changes] [176624] trunk/Source/JavaScriptCore

[msaboff]

Title: [176624] trunk/Source/_javascript_Core

Revision

176624

Author

msab...@apple.com

Date

2014-12-01 18:50:15 -0800 (Mon, 01 Dec 2014)

Log Message

Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
https://bugs.webkit.org/show_bug.cgi?id=139165

Reviewed by Oliver Hunt.

If we don't have any getById or putById variants, emit non-cached versions of these operations.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (176623 => 176624)

--- trunk/Source/_javascript_Core/ChangeLog	2014-12-02 02:29:53 UTC (rev 176623)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-12-02 02:50:15 UTC (rev 176624)
@@ -1,3 +1,16 @@
+2014-12-01  Michael Saboff  <msab...@apple.com>
+
+        Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
+        https://bugs.webkit.org/show_bug.cgi?id=139165
+
+        Reviewed by Oliver Hunt.
+
+        If we don't have any getById or putById variants, emit non-cached versions of these operations.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+
 2014-12-01  Andreas Kling  <akl...@apple.com>
 
         Optimize constructing JSC::Identifier from AtomicString.

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (176623 => 176624)

--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2014-12-02 02:29:53 UTC (rev 176623)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2014-12-02 02:50:15 UTC (rev 176624)
@@ -2018,7 +2018,7 @@
 {
     NodeType getById = getByIdStatus.makesCalls() ? GetByIdFlush : GetById;
     
-    if (!getByIdStatus.isSimple() || !Options::enableAccessInlining()) {
+    if (!getByIdStatus.isSimple() || !getByIdStatus.numVariants() || !Options::enableAccessInlining()) {
         set(VirtualRegister(destinationOperand),
             addToGraph(getById, OpInfo(identifierNumber), OpInfo(prediction), base));
         return;
@@ -2133,7 +2133,7 @@
     Node* base, unsigned identifierNumber, Node* value,
     const PutByIdStatus& putByIdStatus, bool isDirect)
 {
-    if (!putByIdStatus.isSimple() || !Options::enableAccessInlining()) {
+    if (!putByIdStatus.isSimple() || !putByIdStatus.numVariants() || !Options::enableAccessInlining()) {
         if (!putByIdStatus.isSet())
             addToGraph(ForceOSRExit);
         emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes