WebKit Bugzilla
Attachment 357596 Details for
Bug 192822
: JSON.stringify() should throw OOM on StringBuilder overflows.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-192822.patch (text/plain), 5.01 KB, created by
Mark Lam
on 2018-12-18 12:06:40 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-12-18 12:06:40 PST
Size:
5.01 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 239346) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-12-18 Mark Lam <mark.lam@apple.com> >+ >+ JSON.stringify() should throw OOM on StringBuilder overflows. >+ https://bugs.webkit.org/show_bug.cgi?id=192822 >+ <rdar://problem/46670577> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/json-stringify-string-builder-overflow.js: Added. >+ > 2018-12-18 Mark Lam <mark.lam@apple.com> > > Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit. >Index: JSTests/stress/json-stringify-string-builder-overflow.js >=================================================================== >--- JSTests/stress/json-stringify-string-builder-overflow.js (nonexistent) >+++ JSTests/stress/json-stringify-string-builder-overflow.js (working copy) >@@ -0,0 +1,29 @@ >+//@ slow >+//@ skip if $architecture != "arm64" and $architecture != "x86-64" >+ >+var exception; >+try { >+ var str = JSON.stringify({ >+ 'a1': { >+ 'a2': { >+ 'a3': { >+ 'a4': { >+ 'a5': { >+ 'a6': 'AAAAAAAAAA' >+ } >+ } >+ } >+ } >+ } >+ }, function (key, value) { >+ var val = { >+ 'A': true, >+ }; >+ return val; >+ }, 1); >+} catch (e) { >+ exception = e; >+} >+ >+if (exception != "Error: Out of memory") >+ throw "FAILED"; >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 239328) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2018-12-18 Mark Lam <mark.lam@apple.com> >+ >+ JSON.stringify() should throw OOM on StringBuilder overflows. >+ https://bugs.webkit.org/show_bug.cgi?id=192822 >+ <rdar://problem/46670577> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/JSONObject.cpp: >+ (JSC::Stringifier::stringify): >+ (JSC::Stringifier::appendStringifiedValue): >+ (JSC::Stringifier::Holder::appendNextProperty): >+ > 2018-12-17 Mark Lam <mark.lam@apple.com> > > Array unshift/shift should not race against the AI in the compiler thread. >Index: Source/JavaScriptCore/runtime/JSONObject.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/JSONObject.cpp (revision 239328) >+++ Source/JavaScriptCore/runtime/JSONObject.cpp (working copy) >@@ -269,17 +269,20 @@ JSValue Stringifier::stringify(JSValue v > JSObject* object = nullptr; > if (isCallableReplacer()) { > object = constructEmptyObject(m_exec); >- RETURN_IF_EXCEPTION(scope, jsNull()); >+ RETURN_IF_EXCEPTION(scope, jsUndefined()); > object->putDirect(vm, vm.propertyNames->emptyIdentifier, value); > } > > StringBuilder result(StringBuilder::OverflowHandler::RecordOverflow); > Holder root(Holder::RootHolder, object); > auto stringifyResult = appendStringifiedValue(result, value, root, emptyPropertyName); >- EXCEPTION_ASSERT(!scope.exception() || (stringifyResult != StringifySucceeded)); >+ RETURN_IF_EXCEPTION(scope, jsUndefined()); >+ if (UNLIKELY(result.hasOverflowed())) { >+ throwOutOfMemoryError(m_exec, scope); >+ return jsUndefined(); >+ } > if (UNLIKELY(stringifyResult != StringifySucceeded)) > return jsUndefined(); >- > RELEASE_AND_RETURN(scope, jsString(m_exec, result.toString())); > } > >@@ -359,10 +362,6 @@ Stringifier::StringifyResult Stringifier > const String& string = asString(value)->value(m_exec); > RETURN_IF_EXCEPTION(scope, StringifyFailed); > builder.appendQuotedJSONString(string); >- if (UNLIKELY(builder.hasOverflowed())) { >- throwOutOfMemoryError(m_exec, scope); >- return StringifyFailed; >- } > return StringifySucceeded; > } > >@@ -391,6 +390,9 @@ Stringifier::StringifyResult Stringifier > return StringifyFailedDueToUndefinedOrSymbolValue; > } > >+ if (UNLIKELY(builder.hasOverflowed())) >+ return StringifyFailed; >+ > // Handle cycle detection, and put the holder on the stack. > for (unsigned i = 0; i < m_holderStack.size(); i++) { > if (m_holderStack[i].object() == object) { >@@ -410,6 +412,8 @@ Stringifier::StringifyResult Stringifier > while (m_holderStack.last().appendNextProperty(*this, builder)) > RETURN_IF_EXCEPTION(scope, StringifyFailed); > RETURN_IF_EXCEPTION(scope, StringifyFailed); >+ if (UNLIKELY(builder.hasOverflowed())) >+ return StringifyFailed; > m_holderStack.removeLast(); > m_objectStack.removeLast(); > } while (!m_holderStack.isEmpty()); >@@ -493,6 +497,8 @@ bool Stringifier::Holder::appendNextProp > } > stringifier.indent(); > } >+ if (UNLIKELY(builder.hasOverflowed())) >+ return false; > > // Last time through, finish up and return false. > if (m_index == m_size) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357596">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192822
: 357596