Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-08 12:37:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 773108 - Avoid overflowing blockid in CompExprTransplanter (r=dvander)

Browse Source
This commit is contained in:
Luke Wagner 2012-07-11 22:07:25 -07:00
parent ecbebd6e01
commit 112a3cced0
3 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
js/src/frontend/Parser.cpp
View File

@ -5033,13 +5033,18 @@ BumpStaticLevel(ParseNode *pn, TreeContext *tc)
return pn->pn_cookie.set(tc->sc->context, level, pn->pn_cookie.slot());
}
static void
static bool
AdjustBlockId(ParseNode *pn, unsigned adjust, TreeContext *tc)
{
JS_ASSERT(pn->isArity(PN_LIST) || pn->isArity(PN_FUNC) || pn->isArity(PN_NAME));
if (JS_BIT(20) - pn->pn_blockid <= adjust + 1) {
JS_ReportErrorNumber(tc->sc->context, js_GetErrorMessage, NULL, JSMSG_NEED_DIET, "program");
return false;
}
pn->pn_blockid += adjust;
if (pn->pn_blockid >= tc->blockidGen)
tc->blockidGen = pn->pn_blockid + 1;
return true;
}
bool
@ -5056,8 +5061,10 @@ CompExprTransplanter::transplant(ParseNode *pn)
if (!transplant(pn2))
return false;
}
if (pn->pn_pos >= root->pn_pos)
AdjustBlockId(pn, adjust, tc);
if (pn->pn_pos >= root->pn_pos) {
if (!AdjustBlockId(pn, adjust, tc))
return false;
}
break;
case PN_TERNARY:
@ -5142,7 +5149,8 @@ CompExprTransplanter::transplant(ParseNode *pn)
if (dn->isPlaceholder() && dn->pn_pos >= root->pn_pos && dn->dn_uses == pn) {
if (genexp && !BumpStaticLevel(dn, tc))
return false;
AdjustBlockId(dn, adjust, tc);
if (!AdjustBlockId(dn, adjust, tc))
return false;
}
RootedAtom atom(parser->context, pn->pn_atom);
@ -5203,7 +5211,8 @@ CompExprTransplanter::transplant(ParseNode *pn)
if (genexp && !visitedImplicitArguments.has(dn)) {
if (!BumpStaticLevel(dn, tc))
return false;
AdjustBlockId(dn, adjust, tc);
if (!AdjustBlockId(dn, adjust, tc))
return false;
if (!visitedImplicitArguments.put(dn))
return false;
}
@ -5211,8 +5220,10 @@ CompExprTransplanter::transplant(ParseNode *pn)
}
}
if (pn->pn_pos >= root->pn_pos)
AdjustBlockId(pn, adjust, tc);
if (pn->pn_pos >= root->pn_pos) {
if (!AdjustBlockId(pn, adjust, tc))
return false;
}
break;
case PN_NAMESET:
@ -5292,7 +5303,8 @@ Parser::comprehensionTail(ParseNode *kid, unsigned blockid, bool isGenexp,
if (!transplanter.init())
return NULL;
transplanter.transplant(kid);
if (!transplanter.transplant(kid))
return false;
JS_ASSERT(tc->blockChain && tc->blockChain == pn->pn_objbox->object);
data.initLet(HoistVars, *tc->blockChain, JSMSG_ARRAY_INIT_TOO_BIG);

1
js/src/frontend/TreeContext.cpp
View File

@ -30,6 +30,7 @@ frontend::GenerateBlockId(TreeContext *tc, uint32_t &blockid)
JS_ReportErrorNumber(tc->sc->context, js_GetErrorMessage, NULL, JSMSG_NEED_DIET, "program");
return false;
}
JS_ASSERT(tc->blockidGen < JS_BIT(20));
blockid = tc->blockidGen++;
return true;
}

10
js/src/jit-test/tests/basic/testBug773108.js Normal file
View File

@ -0,0 +1,10 @@
// |jit-test| error:InternalError
Function("\
for each(l in[(let(c)([])\
for each(l in[]))(let(c)w for(u in[]))(let(u)w for(l in[]))(let(c)w for(u in[]))\
(let(u)w for each(l in[]))(let(c)w for(u in[]))(let(u)w for(l in[]))(let(c)w for(u in[]))\
(let(l)w for(l in[]))(let(u)w for(l in['']))(let(c)w for(u in[]))(let(u)w for(l in[]))\
(let(c)w for(l in[]))(let(l)w for(l in[]))(let(c)w for(l in[]))(let(u)w for(l in[]))\
(let(c)w for(l in[]))(let(u)w for each(l in[x]))(let(w,x)w for(u in[]))]){}\
")