WebKit Bugzilla
Attachment 357625 Details for
Bug 192833
: String overflow in JSC::createError results in ASSERT in WTF::makeString
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192833-20181219004126.patch (text/plain), 2.98 KB, created by
Tadeu Zagallo
on 2018-12-18 15:42:31 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2018-12-18 15:42:31 PST
Size:
2.98 KB
patch
obsolete
>Subversion Revision: 239328 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 3865cdb38b541916d12d7880c57d89e27eb526b2..7baecd3e527ca16f8ee2ca6a69b74f5b2556b6b9 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-12-18 Tadeu Zagallo <tzagallo@apple.com> >+ >+ String overflow in JSC::createError results in ASSERT in WTF::makeString >+ https://bugs.webkit.org/show_bug.cgi?id=192833 >+ <rdar://problem/45706868> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ JSC::createError was calling WTF::makeString which would result in an >+ assertion failure when the string was too big. Change it to call >+ WTF::tryMakeString instead and return an OutOfMemory error if we fail >+ to create the error string. >+ >+ * runtime/ExceptionHelpers.cpp: >+ (JSC::createError): >+ > 2018-12-17 Mark Lam <mark.lam@apple.com> > > Array unshift/shift should not race against the AI in the compiler thread. >diff --git a/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp b/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >index 20cb5fc77c08c46523128f5f684365d9449660c8..8a617b480f5bcf334eda8947f8eea1a4b64d1e5d 100644 >--- a/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >+++ b/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >@@ -267,7 +267,9 @@ JSObject* createError(ExecState* exec, JSValue value, const String& message, Err > VM& vm = exec->vm(); > auto scope = DECLARE_CATCH_SCOPE(vm); > >- String errorMessage = makeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message); >+ String errorMessage = tryMakeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message); >+ if (errorMessage.isNull()) >+ return createOutOfMemoryError(exec); > scope.assertNoException(); > JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(vm, value)); > ASSERT(exception->isErrorInstance()); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 772cffc1b1b0fb3114126b80d903c6dfbf24b4dd..fb93285ad54a82b0e42b74723f5fa58c71bb8c77 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2018-12-18 Tadeu Zagallo <tzagallo@apple.com> >+ >+ String overflow in JSC::createError results in ASSERT in WTF::makeString >+ https://bugs.webkit.org/show_bug.cgi?id=192833 >+ <rdar://problem/45706868> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/string-overflow-createError.js: Added. >+ > 2018-12-18 Mark Lam <mark.lam@apple.com> > > Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit. >diff --git a/JSTests/stress/string-overflow-createError.js b/JSTests/stress/string-overflow-createError.js >new file mode 100644 >index 0000000000000000000000000000000000000000..1f2c1d4701a03e262997ba72b9b70bd9473e823e >--- /dev/null >+++ b/JSTests/stress/string-overflow-createError.js >@@ -0,0 +1,3 @@ >+bar = '2.3023e-320' >+foo = bar.padEnd(2147483644, 1); >+foo(true, 1).value;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357625">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192833
:
357625
|
357666