Attachment 361791 Details for Bug 194534 – Patch

[patch] Patch

bug-194534-20190212141313.patch (text/plain), 6.61 KB, created by Tadeu Zagallo on 2019-02-12 05:13:44 PST

(hide)

Description:

Filename:

MIME Type:

Creator: Tadeu Zagallo

Created: 2019-02-12 05:13:44 PST

Size: 6.61 KB

patch

obsolete

>Subversion Revision: 241291
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 608249f7f276994737bd7817a105f0853a0dde39..9a3ee5214b0e449bdc4457102989c0d2376be5b4 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,28 @@
>+2019-02-12  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        VariableLengthObject::allocate<T> should initialize objects
>+        https://bugs.webkit.org/show_bug.cgi?id=194534
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        `buffer()` should not be called for empty VariableLengthObjects, but
>+        these cases were not being caught due to the objects not being properly
>+        initialized. Fix it so that allocate calls the constructor and fix the
>+        assertion failues.
>+
>+        * runtime/CachedTypes.cpp:
>+        (JSC::CachedObject::operator new):
>+        (JSC::VariableLengthObject::allocate):
>+        (JSC::CachedVector::encode):
>+        (JSC::CachedVector::decode const):
>+        (JSC::CachedUniquedStringImpl::decode const):
>+        (JSC::CachedBitVector::encode):
>+        (JSC::CachedBitVector::decode const):
>+        (JSC::CachedArray::encode):
>+        (JSC::CachedArray::decode const):
>+        (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
>+        (JSC::CachedBigInt::decode const):
>+
> 2019-02-11  Mark Lam  <mark.lam@apple.com>
> 
>         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
>diff --git a/Source/JavaScriptCore/runtime/CachedTypes.cpp b/Source/JavaScriptCore/runtime/CachedTypes.cpp
>index f6ffee4990c19c0ffa52bfb423ef37946761df43..7ec23d13654ad643f40099e00ce81746cd356ed8 100644
>--- a/Source/JavaScriptCore/runtime/CachedTypes.cpp
>+++ b/Source/JavaScriptCore/runtime/CachedTypes.cpp
>@@ -306,10 +306,21 @@ static std::enable_if_t<!std::is_same<T, SourceType<T>>::value, SourceType<T>>&&
> template<typename Source>
> class CachedObject {
>     WTF_MAKE_NONCOPYABLE(CachedObject<Source>);
>-    WTF_FORBID_HEAP_ALLOCATION;
> 
> public:
>     using SourceType_ = Source;
>+
>+    CachedObject() = default;
>+
>+    inline void* operator new(size_t, void* where) { return where; }
>+
>+    // Copied from WTF_FORBID_HEAP_ALLOCATION, since we only want to allow placement new
>+    void* operator new[](size_t, void*) = delete;
>+    void* operator new(size_t) = delete;
>+    void operator delete(void*) = delete;
>+    void* operator new[](size_t size) = delete;
>+    void operator delete[](void*) = delete;
>+    void* operator new(size_t, NotNullTag, void* location) = delete;
> };
> 
> template<typename Source>
>@@ -332,9 +343,6 @@ protected:
> 
>     uint8_t* allocate(Encoder& encoder, size_t size)
>     {
>-        if (!size)
>-            return nullptr;
>-
>         ptrdiff_t offsetOffset = encoder.offsetOf(&m_offset);
>         auto result = encoder.malloc(size);
>         m_offset = result.offset() - offsetOffset;
>@@ -345,7 +353,7 @@ protected:
>     T* allocate(Encoder& encoder, unsigned size = 1)
>     {
>         uint8_t* result = allocate(encoder, sizeof(T) * size);
>-        return reinterpret_cast<T*>(result);
>+        return new (result) T();
>     }
> 
> private:
>@@ -463,6 +471,8 @@ public:
>     void encode(Encoder& encoder, const Vector<SourceType<T>, InlineCapacity, OverflowHandler>& vector)
>     {
>         m_size = vector.size();
>+        if (!m_size)
>+            return;
>         T* buffer = this->template allocate<T>(encoder, m_size);
>         for (unsigned i = 0; i < m_size; ++i)
>             ::JSC::encode(encoder, buffer[i], vector[i]);
>@@ -471,6 +481,8 @@ public:
>     template<typename... Args>
>     void decode(Decoder& decoder, Vector<SourceType<T>, InlineCapacity, OverflowHandler>& vector, Args... args) const
>     {
>+        if (!m_size)
>+            return;
>         vector.resizeToFit(m_size);
>         const T* buffer = this->template buffer<T>();
>         for (unsigned i = 0; i < m_size; ++i)
>@@ -570,9 +582,6 @@ public:
>             if (!m_isSymbol)
>                 return AtomicStringImpl::add(buffer, m_length).leakRef();
> 
>-            if (!m_length)
>-                return &SymbolImpl::createNullSymbol().leakRef();
>-
>             Identifier ident = Identifier::fromString(&decoder.vm(), buffer, m_length);
>             String str = decoder.vm().propertyNames->lookUpPrivateName(ident);
>             StringImpl* impl = str.releaseImpl().get();
>@@ -580,6 +589,12 @@ public:
>             return static_cast<UniquedStringImpl*>(impl);
>         };
> 
>+        if (!m_length) {
>+            if (m_isSymbol)
>+                return &SymbolImpl::createNullSymbol().leakRef();
>+            return AtomicStringImpl::add("").leakRef();
>+        }
>+
>         if (m_is8Bit)
>             return create(this->buffer<LChar>());
>         return create(this->buffer<UChar>());
>@@ -740,12 +755,16 @@ public:
>     void encode(Encoder& encoder, const BitVector& bitVector)
>     {
>         m_size = bitVector.size();
>+        if (!m_size)
>+            return;
>         uint8_t* buffer = this->allocate(encoder, m_size);
>         memcpy(buffer, bitVector.bits(), m_size);
>     }
> 
>     void decode(Decoder&, BitVector& bitVector) const
>     {
>+        if (!m_size)
>+            return;
>         bitVector.ensureSize(m_size);
>         memcpy(bitVector.bits(), this->buffer(), m_size);
>     }
>@@ -860,6 +879,8 @@ class CachedArray : public VariableLengthObject<Source*> {
> public:
>     void encode(Encoder& encoder, const Source* array, unsigned size)
>     {
>+        if (!size)
>+            return;
>         T* dst = this->template allocate<T>(encoder, size);
>         for (unsigned i = 0; i < size; ++i)
>             ::JSC::encode(encoder, dst[i], array[i]);
>@@ -868,6 +889,8 @@ public:
>     template<typename... Args>
>     void decode(Decoder& decoder, Source* array, unsigned size, Args... args) const
>     {
>+        if (!size)
>+            return;
>         const T* buffer = this->template buffer<T>();
>         for (unsigned i = 0; i < size; ++i)
>             ::JSC::decode(decoder, buffer[i], array[i], args...);
>@@ -948,6 +971,11 @@ private:
> class CachedJSValue;
> class CachedImmutableButterfly : public CachedObject<JSImmutableButterfly> {
> public:
>+    CachedImmutableButterfly()
>+        : m_cachedDoubles()
>+    {
>+    }
>+
>     void encode(Encoder& encoder, JSImmutableButterfly& immutableButterfly)
>     {
>         m_length = immutableButterfly.length();
>@@ -1037,7 +1065,8 @@ public:
>     {
>         JSBigInt* bigInt = JSBigInt::createWithLengthUnchecked(decoder.vm(), m_length);
>         bigInt->setSign(m_sign);
>-        memcpy(bigInt->dataStorage(), this->buffer(), sizeof(JSBigInt::Digit) * m_length);
>+        if (m_length)
>+            memcpy(bigInt->dataStorage(), this->buffer(), sizeof(JSBigInt::Digit) * m_length);
>         return bigInt;
>     }
>

Actions: View | Formatted Diff | Diff

Attachments on bug 194534: 361791