Allocate GC heap blocks with mmap(MAP_RANDOMIZED) for ASLR.
This may very well be too aggressive in terms of fragmentation, and we
can figure out ways to scale that back once it becomes a big problem.
For now, this makes the GC heap a lot less predictable for an attacker.
This was not implementing the following part of the spec correctly:
27. For each integer i such that i ≥ 1 and i ≤ n, do
a. Let captureI be ith element of r's captures List.
b. If captureI is undefined, let capturedValue be undefined.
Expecting a capture group match to exist for each of the RegExp's
capture groups would assert in Vector's operator[] if that's not the
case, for example:
/(foo)(bar)?/.exec("foo")
Append undefined instead.
Fixes#5256.
This is a little bit messy but the basic idea is:
Syntax::Highlighter now has a Syntax::HighlighterClient to talk to the
outside world. It mostly communicates in LibGUI primitives that are
available in headers, so inlineable.
GUI::TextEditor inherits from Syntax::HighlighterClient.
This let us to move GUI::JSSyntaxHighlighter to JS::SyntaxHighlighter
and remove LibGUI's dependency on LibJS.
If it's missing we get an empty value, but we can't use that with
to_string_without_side_effects() so we have to use undefined as the
default.
Fixes#5142.
We were calling directly up to Cell, skipping over ScopeObject.
This made us not mark the scope chain parent for lexical environments,
sometimes causing them to get GC'd and use-after-free'd.
Found by Fuzzilli.
Fixes#5140.
We will now throw a RangeError in these cases:
* new TypedArray with >= INT32_MAX entries
* new TypedArray whose ArrayBuffer allocation size computation would
cause a 32-bit unsigned overflow.
If we have a function as class extends value, we still cannot assume
that it has a prototype property and that property has a function or
null as its value - blindly calling to_object() on it may fail.
Fixes#5075.
Without this, the oss-fuzz build says:
../Userland/Libraries/LibJS/AST.cpp:58:34: error: member access into incomplete type 'const std::type_info'
return demangle(typeid(*this).name()).substring(4);
^
