Title: [214374] trunk/Source/_javascript_Core
- Revision
- 214374
- Author
- mark....@apple.com
- Date
- 2017-03-24 13:56:45 -0700 (Fri, 24 Mar 2017)
Log Message
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
https://bugs.webkit.org/show_bug.cgi?id=170064
<rdar://problem/31246098>
Reviewed by Geoffrey Garen.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/JSArray.cpp:
(JSC::JSArray::fastSlice):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (214373 => 214374)
--- trunk/Source/_javascript_Core/ChangeLog 2017-03-24 20:51:27 UTC (rev 214373)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-03-24 20:56:45 UTC (rev 214374)
@@ -1,3 +1,16 @@
+2017-03-24 Mark Lam <mark....@apple.com>
+
+ Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
+ https://bugs.webkit.org/show_bug.cgi?id=170064
+ <rdar://problem/31246098>
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoPrivateFuncConcatMemcpy):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::fastSlice):
+
2017-03-23 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Use jsNontrivialString agressively for ToString(Int52)
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (214373 => 214374)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-03-24 20:51:27 UTC (rev 214373)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-03-24 20:56:45 UTC (rev 214374)
@@ -1327,7 +1327,12 @@
return JSValue::encode(result);
}
- Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
+ JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
+ Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(type);
+ if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType())))
+ return JSValue::encode(jsNull());
+
+ ASSERT(!lexicalGlobalObject->isHavingABadTime());
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, resultSize);
if (UNLIKELY(!result)) {
throwOutOfMemoryError(exec, scope);
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (214373 => 214374)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-03-24 20:51:27 UTC (rev 214373)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2017-03-24 20:56:45 UTC (rev 214374)
@@ -855,7 +855,12 @@
if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
return nullptr;
- Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+ JSGlobalObject* lexicalGlobalObject = exec.lexicalGlobalObject();
+ Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+ if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType())))
+ return nullptr;
+
+ ASSERT(!lexicalGlobalObject->isHavingABadTime());
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
if (UNLIKELY(!resultArray))
return nullptr;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
