WebKit Bugzilla
Attachment 357666 Details for
Bug 192833
: String overflow in JSC::createError results in ASSERT in WTF::makeString
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-192833-20181219115253.patch (text/plain), 3.06 KB, created by
Tadeu Zagallo
on 2018-12-19 02:53:58 PST
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2018-12-19 02:53:58 PST
Size:
3.06 KB
patch
obsolete
>Subversion Revision: 239373 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 34dab9994072cd29a08ded23f21f17ba6a6dd805..967b204e04ea0dc3c4c17a1f9cbbf8379ad0c649 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-12-18 Tadeu Zagallo <tzagallo@apple.com> >+ >+ String overflow in JSC::createError results in ASSERT in WTF::makeString >+ https://bugs.webkit.org/show_bug.cgi?id=192833 >+ <rdar://problem/45706868> >+ >+ Reviewed by Mark Lam. >+ >+ JSC::createError was calling WTF::makeString which would result in an >+ assertion failure when the string was too big. Change it to call >+ WTF::tryMakeString instead and return an OutOfMemory error if we fail >+ to create the error string. >+ >+ * runtime/ExceptionHelpers.cpp: >+ (JSC::createError): >+ > 2018-12-18 Ross Kirsling <ross.kirsling@sony.com> > > Error message for `-x ** y` contains a typo. >diff --git a/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp b/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >index 20cb5fc77c08c46523128f5f684365d9449660c8..8a617b480f5bcf334eda8947f8eea1a4b64d1e5d 100644 >--- a/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >+++ b/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >@@ -267,7 +267,9 @@ JSObject* createError(ExecState* exec, JSValue value, const String& message, Err > VM& vm = exec->vm(); > auto scope = DECLARE_CATCH_SCOPE(vm); > >- String errorMessage = makeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message); >+ String errorMessage = tryMakeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message); >+ if (errorMessage.isNull()) >+ return createOutOfMemoryError(exec); > scope.assertNoException(); > JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(vm, value)); > ASSERT(exception->isErrorInstance()); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index dbd5b3c9aa08d93ba5f21dfcc232013e8b813ae2..c6d4bc7af04ce42617f469e82448caf10a587f24 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2018-12-18 Tadeu Zagallo <tzagallo@apple.com> >+ >+ String overflow in JSC::createError results in ASSERT in WTF::makeString >+ https://bugs.webkit.org/show_bug.cgi?id=192833 >+ <rdar://problem/45706868> >+ >+ Reviewed by Mark Lam. >+ >+ * stress/string-overflow-createError.js: Added. >+ > 2018-12-18 Ross Kirsling <ross.kirsling@sony.com> > > Error message for `-x ** y` contains a typo. >diff --git a/JSTests/stress/string-overflow-createError.js b/JSTests/stress/string-overflow-createError.js >new file mode 100644 >index 0000000000000000000000000000000000000000..01d95ad62210947919112bdf1e3e870f7bc39944 >--- /dev/null >+++ b/JSTests/stress/string-overflow-createError.js >@@ -0,0 +1,11 @@ >+var exception; >+try { >+ bar = '2.3023e-320' >+ foo = bar.padEnd(2147483644, 1); >+ foo(true, 1).value; >+} catch (e) { >+ exception = e; >+} >+ >+if (exception != "Error: Out of memory") >+ throw "FAILED";
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357666">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192833
:
357625
| 357666