commit 581437ae369f411372c18991fb7ac876219d304d
author mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Sep 22 23:41:56 2016 +0000
committer mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Sep 22 23:41:56 2016 +0000
tree 147f460d4f1522ae34327794b0069beb2752bce3
parent 29ef06f334e256ed039dc12538ecd60836065d16

Array.prototype.join should do overflow checks on string joins.
https://bugs.webkit.org/show_bug.cgi?id=162459

Reviewed by Saam Barati.

JSTests:

* stress/array-join-on-strings-need-overflow-checks.js: Added.
(assert):
(catch):

Source/JavaScriptCore:

Change the 2 JSRopeString::create() functions that do joins to be private, and
force all clients of it to go through the jsString() utility functions that do
overflow checks before creating the ropes.

* dfg/DFGOperations.cpp:
* runtime/ArrayPrototype.cpp:
(JSC::slowJoin):
* runtime/JSString.h:
* runtime/Operations.h:
(JSC::jsString):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@206281 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/dfg/DFGOperations.cpp

diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index f107b58..d21916a 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -52,6 +52,7 @@
 #include "JSMap.h"
 #include "JSSet.h"
 #include "ObjectConstructor.h"
+#include "Operations.h"
 #include "RegExpObject.h"
 #include "Repatch.h"
 #include "ScopedArguments.h"
@@ -1500,28 +1501,16 @@
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (sumOverflows<int32_t>(left->length(), right->length())) {
-        throwOutOfMemoryError(exec, scope);
-        return nullptr;
-    }
-
-    return JSRopeString::create(vm, left, right);
+    return jsString(exec, left, right);
 }
 
 JSCell* JIT_OPERATION operationMakeRope3(ExecState* exec, JSString* a, JSString* b, JSString* c)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (sumOverflows<int32_t>(a->length(), b->length(), c->length())) {
-        throwOutOfMemoryError(exec, scope);
-        return nullptr;
-    }
-
-    return JSRopeString::create(vm, a, b, c);
+    return jsString(exec, a, b, c);
 }
 
 JSCell* JIT_OPERATION operationStrCat2(ExecState* exec, EncodedJSValue a, EncodedJSValue b)
@@ -1535,12 +1524,8 @@
     JSString* str2 = JSValue::decode(b).toString(exec);
     ASSERT(!scope.exception());
 
-    if (sumOverflows<int32_t>(str1->length(), str2->length())) {
-        throwOutOfMemoryError(exec, scope);
-        return nullptr;
-    }
-
-    return JSRopeString::create(vm, str1, str2);
+    scope.release();
+    return jsString(exec, str1, str2);
 }
     
 JSCell* JIT_OPERATION operationStrCat3(ExecState* exec, EncodedJSValue a, EncodedJSValue b, EncodedJSValue c)
@@ -1556,12 +1541,8 @@
     JSString* str3 = JSValue::decode(c).toString(exec);
     ASSERT(!scope.exception());
 
-    if (sumOverflows<int32_t>(str1->length(), str2->length(), str3->length())) {
-        throwOutOfMemoryError(exec, scope);
-        return nullptr;
-    }
-
-    return JSRopeString::create(vm, str1, str2, str3);
+    scope.release();
+    return jsString(exec, str1, str2, str3);
 }
 
 char* JIT_OPERATION operationFindSwitchImmTargetForDouble(