Title: [176624] trunk/Source/_javascript_Core
- Revision
- 176624
- Author
- msab...@apple.com
- Date
- 2014-12-01 18:50:15 -0800 (Mon, 01 Dec 2014)
Log Message
Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
https://bugs.webkit.org/show_bug.cgi?id=139165
Reviewed by Oliver Hunt.
If we don't have any getById or putById variants, emit non-cached versions of these operations.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (176623 => 176624)
--- trunk/Source/_javascript_Core/ChangeLog 2014-12-02 02:29:53 UTC (rev 176623)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-12-02 02:50:15 UTC (rev 176624)
@@ -1,3 +1,16 @@
+2014-12-01 Michael Saboff <msab...@apple.com>
+
+ Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
+ https://bugs.webkit.org/show_bug.cgi?id=139165
+
+ Reviewed by Oliver Hunt.
+
+ If we don't have any getById or putById variants, emit non-cached versions of these operations.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::handlePutById):
+
2014-12-01 Andreas Kling <akl...@apple.com>
Optimize constructing JSC::Identifier from AtomicString.
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (176623 => 176624)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-12-02 02:29:53 UTC (rev 176623)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-12-02 02:50:15 UTC (rev 176624)
@@ -2018,7 +2018,7 @@
{
NodeType getById = getByIdStatus.makesCalls() ? GetByIdFlush : GetById;
- if (!getByIdStatus.isSimple() || !Options::enableAccessInlining()) {
+ if (!getByIdStatus.isSimple() || !getByIdStatus.numVariants() || !Options::enableAccessInlining()) {
set(VirtualRegister(destinationOperand),
addToGraph(getById, OpInfo(identifierNumber), OpInfo(prediction), base));
return;
@@ -2133,7 +2133,7 @@
Node* base, unsigned identifierNumber, Node* value,
const PutByIdStatus& putByIdStatus, bool isDirect)
{
- if (!putByIdStatus.isSimple() || !Options::enableAccessInlining()) {
+ if (!putByIdStatus.isSimple() || !putByIdStatus.numVariants() || !Options::enableAccessInlining()) {
if (!putByIdStatus.isSet())
addToGraph(ForceOSRExit);
emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes