[webkit-changes] [189318] branches/safari-601-branch

Thu, 03 Sep 2015 16:43:17 -0700

Title: [189318] branches/safari-601-branch

Diff

Modified: branches/safari-601-branch/LayoutTests/ChangeLog (189317 => 189318)


--- branches/safari-601-branch/LayoutTests/ChangeLog	2015-09-03 23:41:22 UTC (rev 189317)
+++ branches/safari-601-branch/LayoutTests/ChangeLog	2015-09-03 23:42:32 UTC (rev 189318)
@@ -1,5 +1,21 @@
 2015-09-03  Babak Shafiei  <[email protected]>
 
+        Merge r189046.
+
+    2015-08-27  Basile Clement  <[email protected]>
+
+            REGRESSION(r184779): Possible read-after-free in _javascript_Core/dfg/DFGClobberize.h
+            https://bugs.webkit.org/show_bug.cgi?id=148411
+
+            Reviewed by Geoffrey Garen and Filip Pizlo.
+
+            * js/regress-148411-expected.txt: Added.
+            * js/regress-148411.html: Added.
+            * js/script-tests/regress-148411.js: Added.
+            (foo):
+
+2015-09-03  Babak Shafiei  <[email protected]>
+
         Merge r188340.
 
     2015-08-12  Brent Fulgham  <[email protected]>

Copied: branches/safari-601-branch/LayoutTests/js/regress-148411-expected.txt (from rev 189046, trunk/LayoutTests/js/regress-148411-expected.txt) (0 => 189318)


--- branches/safari-601-branch/LayoutTests/js/regress-148411-expected.txt	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/js/regress-148411-expected.txt	2015-09-03 23:42:32 UTC (rev 189318)
@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/148411. This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-601-branch/LayoutTests/js/regress-148411.html (from rev 189046, trunk/LayoutTests/js/regress-148411.html) (0 => 189318)


--- branches/safari-601-branch/LayoutTests/js/regress-148411.html	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/js/regress-148411.html	2015-09-03 23:42:32 UTC (rev 189318)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Copied: branches/safari-601-branch/LayoutTests/js/script-tests/regress-148411.js (from rev 189046, trunk/LayoutTests/js/script-tests/regress-148411.js) (0 => 189318)


--- branches/safari-601-branch/LayoutTests/js/script-tests/regress-148411.js	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/js/script-tests/regress-148411.js	2015-09-03 23:42:32 UTC (rev 189318)
@@ -0,0 +1,12 @@
+description(
+"Regression test for https://webkit.org/b/148411. This test should not crash."
+);
+
+function foo()
+{
+    [5, 6, 7, 8];
+    [100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114];
+}
+
+for (var i = 0; i < 100000; ++i)
+    foo();

Modified: branches/safari-601-branch/Source/_javascript_Core/ChangeLog (189317 => 189318)


--- branches/safari-601-branch/Source/_javascript_Core/ChangeLog	2015-09-03 23:41:22 UTC (rev 189317)
+++ branches/safari-601-branch/Source/_javascript_Core/ChangeLog	2015-09-03 23:42:32 UTC (rev 189318)
@@ -1,5 +1,19 @@
 2015-09-03  Babak Shafiei  <[email protected]>
 
+        Merge r189046.
+
+    2015-08-27  Basile Clement  <[email protected]>
+
+            REGRESSION(r184779): Possible read-after-free in _javascript_Core/dfg/DFGClobberize.h
+            https://bugs.webkit.org/show_bug.cgi?id=148411
+
+            Reviewed by Geoffrey Garen and Filip Pizlo.
+
+            * dfg/DFGClobberize.h:
+            (JSC::DFG::clobberize):
+
+2015-09-03  Babak Shafiei  <[email protected]>
+
         Merge r188311.
 
     2015-08-11  Alexey Proskuryakov  <[email protected]>

Modified: branches/safari-601-branch/Source/_javascript_Core/dfg/DFGClobberize.h (189317 => 189318)


--- branches/safari-601-branch/Source/_javascript_Core/dfg/DFGClobberize.h	2015-09-03 23:41:22 UTC (rev 189317)
+++ branches/safari-601-branch/Source/_javascript_Core/dfg/DFGClobberize.h	2015-09-03 23:42:32 UTC (rev 189318)
@@ -888,6 +888,7 @@
                 if (operandIdx >= numElements)
                     continue;
                 Edge use = graph.m_varArgChildren[node->firstChild() + operandIdx];
+                // operandIdx comes from graph.m_uint32ValuesInUse and thus is guaranteed to be already frozen
                 def(HeapLocation(IndexedPropertyLoc, heap, node, LazyNode(graph.freeze(jsNumber(operandIdx)))),
                     LazyNode(use.node()));
             }
@@ -930,9 +931,13 @@
                     LazyNode(graph.freeze(data[index]), op));
             }
         } else {
+            Vector<uint32_t> possibleIndices;
             for (uint32_t index : graph.m_uint32ValuesInUse) {
                 if (index >= numElements)
                     continue;
+                possibleIndices.append(index);
+            }
+            for (uint32_t index : possibleIndices) {
                 def(HeapLocation(IndexedPropertyLoc, heap, node, LazyNode(graph.freeze(jsNumber(index)))),
                     LazyNode(graph.freeze(data[index]), op));
             }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to