buffer: Prevent Buffer constructor deopt

brycebaril · rvagg · commit e3a8e8bba420 · 2015-12-08T11:19:43.000+11:00
The Buffer constructor will generally get inlined, but any call to the Buffer constructor for a string without encoding will cause an eager deoptimization of any function that inlined the Buffer constructor. This is due to a an out-of-bounds read on `arguments[1]`. This change prevents that deopt. PR-URL: #4158 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
diff --git a/lib/buffer.js b/lib/buffer.js
@@ -40,7 +40,7 @@ function alignPool() {
 }
 
 
-function Buffer(arg) {
+function Buffer(arg, encoding) {
   // Common case.
   if (typeof arg === 'number') {
     // If less than zero, or NaN.
@@ -51,7 +51,7 @@ function Buffer(arg) {
 
   // Slightly less common case.
   if (typeof arg === 'string') {
-    return fromString(arg, arguments[1]);
+    return fromString(arg, encoding);
   }
 
   // Unusual.

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ function alignPool() {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`
`43`		`-function Buffer(arg) {`
	`43`	`+function Buffer(arg, encoding) {`
`44`	`44`	`// Common case.`
`45`	`45`	`if (typeof arg === 'number') {`
`46`	`46`	`// If less than zero, or NaN.`
`@@ -51,7 +51,7 @@ function Buffer(arg) {`
`51`	`51`
`52`	`52`	`// Slightly less common case.`
`53`	`53`	`if (typeof arg === 'string') {`
`54`		`- return fromString(arg, arguments[1]);`
	`54`	`+ return fromString(arg, encoding);`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`// Unusual.`