diff options
Diffstat (limited to 'Source/JavaScriptCore/dfg/DFGOperations.cpp')
| -rw-r--r-- | Source/JavaScriptCore/dfg/DFGOperations.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp index 29a0b2b61..1305c0a5d 100644 --- a/Source/JavaScriptCore/dfg/DFGOperations.cpp +++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp @@ -1644,6 +1644,11 @@ JSCell* DFG_OPERATION operationMakeRope2(ExecState* exec, JSString* left, JSStri VM& vm = exec->vm(); NativeCallFrameTracer tracer(&vm, exec); + if (static_cast<int32_t>(left->length() + right->length()) < 0) { + throwOutOfMemoryError(exec); + return 0; + } + return JSRopeString::create(vm, left, right); } @@ -1652,6 +1657,14 @@ JSCell* DFG_OPERATION operationMakeRope3(ExecState* exec, JSString* a, JSString* VM& vm = exec->vm(); NativeCallFrameTracer tracer(&vm, exec); + Checked<int32_t, RecordOverflow> length = a->length(); + length += b->length(); + length += c->length(); + if (length.hasOverflowed()) { + throwOutOfMemoryError(exec); + return 0; + } + return JSRopeString::create(vm, a, b, c); } |