• mhahnenberg@apple.com's avatar
    JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid · 4c1fa6d3
    mhahnenberg@apple.com authored
    Reviewed by Geoffrey Garen.
    This patch disallows clients from allocating 0 bytes in CopiedSpace. We enforce this invariant 
    with an ASSERT in C++ code and a breakpoint in JIT code. Clients who care about 0-byte 
    allocations (like JSArrayBufferViews) must handle that case themselves, but we don't punish 
    anybody else for the rare case that somebody decides to allocate a 0-length typed array. 
    It also makes the allocation and copying cases consistent for CopiedSpace: no 0-byte allocations, 
    no 0-byte copying.
    Also added a check so that JSArrayBufferViews don't try to copy their m_vector backing store when 
    their length is 0. Also sprinkled several ASSERTs throughout the JSArrayBufferView code to make sure that 
    when length is 0 m_vector is null.
    * dfg/DFGSpeculativeJIT.cpp:
    * dfg/DFGSpeculativeJIT.h:
    * heap/CopiedSpaceInlines.h:
    * runtime/ArrayBuffer.h:
    * runtime/JSArrayBufferView.cpp:
    * runtime/JSGenericTypedArrayViewInlines.h:
    Added a test to make sure that we don't crash when allocating a typed array with 0 length.
    * js/script-tests/typedarray-zero-size.js: Added.
    * js/typedarray-zero-size-expected.txt: Added.
    * js/typedarray-zero-size.html: Added.
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158583 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSArrayBufferView.cpp 7.75 KB