Página Principal Explorar Ajuda
Iniciar Sessão
SunnyMirror
/
ChakraCore
mirror de https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Ficheiros Problemas 0 Wiki
Ver Fonte

Catching typed array OOB AVs coming from stack allocated functions. OS #17785360

Rajat Dua há 7 anos atrás
pai
cb568a87a4
commit
e2e570ae48
3 ficheiros alterados com 31 adições e 2 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 1 2
      lib/Runtime/Library/JavascriptFunction.cpp
  2. 25 0
      test/Bugs/bug17785360.js
  3. 5 0
      test/Bugs/rlexe.xml

+ 1 - 2
lib/Runtime/Library/JavascriptFunction.cpp
Ver Ficheiro 

@@ -1905,12 +1905,11 @@ LABEL1:
 
             RecyclerHeapObjectInfo heapObject;
 
             Recycler* recycler = threadContext->GetRecycler();
 
 
-            bool isFuncObjHeapAllocated = recycler->FindHeapObject(func, FindHeapObjectFlags_NoFlags, heapObject); // recheck if this needs to be removed
 
             bool isEntryPointHeapAllocated = recycler->FindHeapObject(func->GetEntryPointInfo(), FindHeapObjectFlags_NoFlags, heapObject);
 
             bool isFunctionBodyHeapAllocated = recycler->FindHeapObject(func->GetFunctionBody(), FindHeapObjectFlags_NoFlags, heapObject);
 
 
             // ensure that all our objects are heap allocated
 
-            if (!(isFuncObjHeapAllocated && isEntryPointHeapAllocated && isFunctionBodyHeapAllocated))
 
+            if (!(isEntryPointHeapAllocated && isFunctionBodyHeapAllocated))
 
             {
 
                 return nullptr;
 
             }

+ 25 - 0
test/Bugs/bug17785360.js
Ver Ficheiro 

@@ -0,0 +1,25 @@
 
+//-------------------------------------------------------------------------------------------------------

+// Copyright (C) Microsoft. All rights reserved.

+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.

+//-------------------------------------------------------------------------------------------------------

+

+arr = new Uint8Array(0x40000);

+var obj = {x : 1.1};

+function test2()

+{

+    return obj.x;

+}

+function test()

+{

+    function test1()

+    {

+        for(var i=0; i < arr.length; i++)

+        {

+            arr[i] = arr[i+1] = arr[i+2] = Math.floor(test2() / 4294967295 * 128), arr[i + 3] = 255;

+        }

+    }

+    test1(arr);

+}

+

+test();

+print("passed");

+ 5 - 0
test/Bugs/rlexe.xml
Ver Ficheiro 

@@ -484,4 +484,9 @@
 
       <compile-flags>-forceNative -forcejitloopbody -off:aggressiveinttypespec -off:ArrayCheckHoist</compile-flags> 
     </default> 
   </test> 
+  <test>
 
+    <default>
 
+      <files>bug17785360.js</files>
 
+    </default>
 
+  </test> 
 </regress-exe>