Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (215344 => 215345)
--- trunk/Source/_javascript_Core/ChangeLog 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-04-13 23:13:41 UTC (rev 215345)
@@ -1,3 +1,45 @@
+2017-04-13 Oliver Hunt <oli...@apple.com>
+
+ allocationSize should use safe arithmetic by default
+ https://bugs.webkit.org/show_bug.cgi?id=170804
+
+ Reviewed by JF Bastien.
+
+ Make all allocationSize() functions work in terms
+ of Checked<size_t>
+
+ * runtime/DirectArguments.h:
+ (JSC::DirectArguments::offsetOfSlot):
+ (JSC::DirectArguments::allocationSize):
+ * runtime/HashMapImpl.h:
+ (JSC::HashMapBuffer::allocationSize):
+ * runtime/JSArray.h:
+ (JSC::JSArray::allocationSize):
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::allocationSize):
+ * runtime/JSAsyncFunction.h:
+ (JSC::JSAsyncFunction::allocationSize):
+ * runtime/JSFixedArray.h:
+ (JSC::JSFixedArray::allocationSize):
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::allocationSize):
+ * runtime/JSGeneratorFunction.h:
+ (JSC::JSGeneratorFunction::allocationSize):
+ * runtime/JSModuleNamespaceObject.h:
+ * runtime/JSObject.h:
+ (JSC::JSFinalObject::allocationSize):
+ * runtime/JSWrapperObject.h:
+ (JSC::JSWrapperObject::allocationSize):
+ * runtime/ScopedArguments.h:
+ (JSC::ScopedArguments::allocationSize):
+ * runtime/VM.h:
+ (JSC::ScratchBuffer::allocationSize):
+ * wasm/js/JSWebAssemblyCodeBlock.h:
+ (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
+ (JSC::JSWebAssemblyCodeBlock::allocationSize):
+ * wasm/js/JSWebAssemblyInstance.h:
+ (JSC::JSWebAssemblyInstance::allocationSize):
+
2017-04-13 JF Bastien <jfbast...@apple.com>
WebAssembly: manage memory better
Modified: trunk/Source/_javascript_Core/runtime/DirectArguments.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/DirectArguments.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/DirectArguments.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -143,12 +143,12 @@
return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(DirectArguments));
}
- static size_t offsetOfSlot(uint32_t index)
+ static size_t offsetOfSlot(Checked<size_t> index)
{
- return storageOffset() + sizeof(WriteBarrier<Unknown>) * index;
+ return (storageOffset() + sizeof(WriteBarrier<Unknown>) * index).unsafeGet();
}
- static size_t allocationSize(uint32_t capacity)
+ static size_t allocationSize(Checked<size_t> capacity)
{
return offsetOfSlot(capacity);
}
Modified: trunk/Source/_javascript_Core/runtime/HashMapImpl.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/HashMapImpl.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/HashMapImpl.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -161,9 +161,9 @@
public:
HashMapBuffer() = delete;
- static size_t allocationSize(uint32_t capacity)
+ static size_t allocationSize(Checked<size_t> capacity)
{
- return capacity * sizeof(BucketType*);
+ return (capacity * sizeof(BucketType*)).unsafeGet();
}
ALWAYS_INLINE BucketType** buffer() const
Modified: trunk/Source/_javascript_Core/runtime/JSArray.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSArray.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSArray.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -39,7 +39,7 @@
typedef JSNonFinalObject Base;
static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
return sizeof(JSArray);
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -103,7 +103,7 @@
& ~(sizeof(EncodedJSValue) - 1);
}
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
return sizeof(JSArrayBufferView);
Modified: trunk/Source/_javascript_Core/runtime/JSAsyncFunction.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSAsyncFunction.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSAsyncFunction.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -43,7 +43,7 @@
static JSAsyncFunction* create(VM&, FunctionExecutable*, JSScope*, Structure*);
static JSAsyncFunction* createWithInvalidatedReallocationWatchpoint(VM&, FunctionExecutable*, JSScope*);
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
return sizeof(JSAsyncFunction);
Modified: trunk/Source/_javascript_Core/runtime/JSFixedArray.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSFixedArray.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSFixedArray.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -131,9 +131,9 @@
}
- static size_t allocationSize(unsigned numItems)
+ static size_t allocationSize(Checked<size_t> numItems)
{
- return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>);
+ return (offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>)).unsafeGet();
}
};
Modified: trunk/Source/_javascript_Core/runtime/JSFunction.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSFunction.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -65,7 +65,7 @@
typedef JSCallee Base;
const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
return sizeof(JSFunction);
Modified: trunk/Source/_javascript_Core/runtime/JSGeneratorFunction.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSGeneratorFunction.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSGeneratorFunction.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -72,7 +72,7 @@
static JSGeneratorFunction* create(VM&, FunctionExecutable*, JSScope*, Structure*);
static JSGeneratorFunction* createWithInvalidatedReallocationWatchpoint(VM&, FunctionExecutable*, JSScope*);
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
return sizeof(JSGeneratorFunction);
Modified: trunk/Source/_javascript_Core/runtime/JSModuleNamespaceObject.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSModuleNamespaceObject.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSModuleNamespaceObject.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -88,9 +88,9 @@
return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<AbstractModuleRecord>)>(sizeof(JSModuleNamespaceObject));
}
- static size_t allocationSize(unsigned moduleRecords)
+ static size_t allocationSize(Checked<size_t> moduleRecords)
{
- return offsetOfModuleRecords() + moduleRecords * sizeof(WriteBarrier<AbstractModuleRecord>);
+ return (offsetOfModuleRecords() + moduleRecords * sizeof(WriteBarrier<AbstractModuleRecord>)).unsafeGet();
}
struct ExportEntry {
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -1080,9 +1080,9 @@
typedef JSObject Base;
static const unsigned StructureFlags = Base::StructureFlags;
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
- return sizeof(JSObject) + inlineCapacity * sizeof(WriteBarrierBase<Unknown>);
+ return (sizeof(JSObject) + inlineCapacity * sizeof(WriteBarrierBase<Unknown>)).unsafeGet();
}
static inline const TypeInfo typeInfo() { return TypeInfo(FinalObjectType, StructureFlags); }
Modified: trunk/Source/_javascript_Core/runtime/JSWrapperObject.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/JSWrapperObject.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/JSWrapperObject.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -31,7 +31,7 @@
public:
typedef JSDestructibleObject Base;
- static size_t allocationSize(size_t inlineCapacity)
+ static size_t allocationSize(Checked<size_t> inlineCapacity)
{
ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
return sizeof(JSWrapperObject);
Modified: trunk/Source/_javascript_Core/runtime/ScopedArguments.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -145,9 +145,9 @@
return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(ScopedArguments));
}
- static size_t allocationSize(unsigned overflowArgumentsLength)
+ static size_t allocationSize(Checked<size_t> overflowArgumentsLength)
{
- return overflowStorageOffset() + sizeof(WriteBarrier<Unknown>) * overflowArgumentsLength;
+ return (overflowStorageOffset() + sizeof(WriteBarrier<Unknown>) * overflowArgumentsLength).unsafeGet();
}
private:
Modified: trunk/Source/_javascript_Core/runtime/VM.h (215344 => 215345)
--- trunk/Source/_javascript_Core/runtime/VM.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -60,6 +60,7 @@
#include "Watchpoint.h"
#include <wtf/Bag.h>
#include <wtf/BumpPointerAllocator.h>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/DateMath.h>
#include <wtf/Deque.h>
#include <wtf/DoublyLinkedList.h>
@@ -219,7 +220,7 @@
return result;
}
- static size_t allocationSize(size_t bufferSize) { return sizeof(ScratchBuffer) + bufferSize; }
+ static size_t allocationSize(Checked<size_t> bufferSize) { return (sizeof(ScratchBuffer) + bufferSize).unsafeGet(); }
void setActiveLength(size_t activeLength) { u.m_activeLength = activeLength; }
size_t activeLength() const { return u.m_activeLength; };
size_t* activeLengthPtr() { return &u.m_activeLength; };
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h (215344 => 215345)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -96,14 +96,14 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- static ptrdiff_t offsetOfImportStubs()
+ static size_t offsetOfImportStubs()
{
return WTF::roundUpToMultipleOf<sizeof(void*)>(sizeof(JSWebAssemblyCodeBlock));
}
- static size_t allocationSize(unsigned functionImportCount)
+ static size_t allocationSize(Checked<size_t> functionImportCount)
{
- return offsetOfImportStubs() + sizeof(void*) * functionImportCount;
+ return (offsetOfImportStubs() + sizeof(void*) * functionImportCount).unsafeGet();
}
void*& importWasmToJSStub(unsigned importIndex)
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h (215344 => 215345)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -84,9 +84,9 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- static size_t allocationSize(unsigned numImportFunctions)
+ static size_t allocationSize(Checked<size_t> numImportFunctions)
{
- return offsetOfImportFunctions() + sizeof(WriteBarrier<JSCell>) * numImportFunctions;
+ return (offsetOfImportFunctions() + sizeof(WriteBarrier<JSCell>) * numImportFunctions).unsafeGet();
}
private:
Modified: trunk/Source/WTF/ChangeLog (215344 => 215345)
--- trunk/Source/WTF/ChangeLog 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/WTF/ChangeLog 2017-04-13 23:13:41 UTC (rev 215345)
@@ -1,3 +1,17 @@
+2017-04-13 Oliver Hunt <oli...@apple.com>
+
+ allocationSize should use safe arithmetic by default
+ https://bugs.webkit.org/show_bug.cgi?id=170804
+
+ Reviewed by JF Bastien.
+
+ Make all allocationSize() functions work in terms
+ of Checked<size_t>
+
+ * wtf/text/StringImpl.h:
+ (WTF::StringImpl::allocationSize):
+ (WTF::StringImpl::tailOffset):
+
2017-04-13 JF Bastien <jfbast...@apple.com>
WebAssembly: manage memory better
Modified: trunk/Source/WTF/wtf/text/StringImpl.h (215344 => 215345)
--- trunk/Source/WTF/wtf/text/StringImpl.h 2017-04-13 22:48:13 UTC (rev 215344)
+++ trunk/Source/WTF/wtf/text/StringImpl.h 2017-04-13 23:13:41 UTC (rev 215345)
@@ -27,6 +27,7 @@
#include <unicode/uchar.h>
#include <unicode/ustring.h>
#include <wtf/ASCIICType.h>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/Forward.h>
#include <wtf/Hasher.h>
#include <wtf/MathExtras.h>
@@ -773,13 +774,13 @@
}
template<typename T>
- static size_t allocationSize(unsigned tailElementCount)
+ static size_t allocationSize(Checked<size_t> tailElementCount)
{
- return tailOffset<T>() + tailElementCount * sizeof(T);
+ return (tailOffset<T>() + tailElementCount * sizeof(T)).unsafeGet();
}
template<typename T>
- static ptrdiff_t tailOffset()
+ static size_t tailOffset()
{
#if COMPILER(MSVC)
// MSVC doesn't support alignof yet.
