Skip to site navigation (Press enter)

[webkit-changes] [230026] trunk

rmorisset Wed, 28 Mar 2018 02:37:45 -0700

Title: [230026] trunk

Revision: 230026
Author: rmoris...@apple.com
Date: 2018-03-28 02:36:44 -0700 (Wed, 28 Mar 2018)

Log Message

appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
https://bugs.webkit.org/show_bug.cgi?id=183894


Reviewed by Saam Barati.

JSTests:

* stress/json-stringified-overflow.js: Added.
(catch):

Source/_javascript_Core:

Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.

* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):

Source/WTF:

appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
to fit in 4GB.

* wtf/text/StringBuilder.h:
* wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSONObject.cpp
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/text/StringBuilder.h
trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp

Added Paths

trunk/JSTests/stress/json-stringified-overflow.js

Diff

Modified: trunk/JSTests/ChangeLog (230025 => 230026)


--- trunk/JSTests/ChangeLog	2018-03-28 09:16:15 UTC (rev 230025)
+++ trunk/JSTests/ChangeLog	2018-03-28 09:36:44 UTC (rev 230026)
@@ -1,3 +1,13 @@
+2018-03-28  Robin Morisset  <rmoris...@apple.com>
+
+        appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+        https://bugs.webkit.org/show_bug.cgi?id=183894
+
+        Reviewed by Saam Barati.
+
+        * stress/json-stringified-overflow.js: Added.
+        (catch):
+
 2018-03-26  Filip Pizlo  <fpi...@apple.com>
 
         DFG should know that CreateThis can be effectful

Added: trunk/JSTests/stress/json-stringified-overflow.js (0 => 230026)


--- trunk/JSTests/stress/json-stringified-overflow.js	                        (rev 0)
+++ trunk/JSTests/stress/json-stringified-overflow.js	2018-03-28 09:36:44 UTC (rev 230026)
@@ -0,0 +1,3 @@
+try {
+      JSON.stringify("123".padStart(1073741823))
+} catch (e) {}

Modified: trunk/Source/_javascript_Core/ChangeLog (230025 => 230026)


--- trunk/Source/_javascript_Core/ChangeLog	2018-03-28 09:16:15 UTC (rev 230025)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-03-28 09:36:44 UTC (rev 230026)
@@ -1,3 +1,15 @@
+2018-03-28  Robin Morisset  <rmoris...@apple.com>
+
+        appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+        https://bugs.webkit.org/show_bug.cgi?id=183894
+
+        Reviewed by Saam Barati.
+
+        Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+
 2018-03-28  Carlos Garcia Campos  <cgar...@igalia.com>
 
         [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib

Modified: trunk/Source/_javascript_Core/runtime/JSONObject.cpp (230025 => 230026)


--- trunk/Source/_javascript_Core/runtime/JSONObject.cpp	2018-03-28 09:16:15 UTC (rev 230025)
+++ trunk/Source/_javascript_Core/runtime/JSONObject.cpp	2018-03-28 09:36:44 UTC (rev 230026)
@@ -357,8 +357,10 @@
     if (value.isString()) {
         const String& string = asString(value)->value(m_exec);
         RETURN_IF_EXCEPTION(scope, StringifyFailed);
-        builder.appendQuotedJSONString(string);
-        return StringifySucceeded;
+        if (builder.appendQuotedJSONString(string))
+            return StringifySucceeded;
+        throwOutOfMemoryError(m_exec, scope);
+        return StringifyFailed;
     }
 
     if (value.isNumber()) {

Modified: trunk/Source/WTF/ChangeLog (230025 => 230026)


--- trunk/Source/WTF/ChangeLog	2018-03-28 09:16:15 UTC (rev 230025)
+++ trunk/Source/WTF/ChangeLog	2018-03-28 09:36:44 UTC (rev 230026)
@@ -1,3 +1,17 @@
+2018-03-28  Robin Morisset  <rmoris...@apple.com>
+
+        appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+        https://bugs.webkit.org/show_bug.cgi?id=183894
+
+        Reviewed by Saam Barati.
+
+        appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
+        to fit in 4GB.
+
+        * wtf/text/StringBuilder.h:
+        * wtf/text/StringBuilderJSON.cpp:
+        (WTF::StringBuilder::appendQuotedJSONString):
+
 2018-03-27  Per Arne Vollan  <pvol...@apple.com>
 
         The layout test fast/canvas/webgl/read-pixels-test.html is timing out.

Modified: trunk/Source/WTF/wtf/text/StringBuilder.h (230025 => 230026)


--- trunk/Source/WTF/wtf/text/StringBuilder.h	2018-03-28 09:16:15 UTC (rev 230025)
+++ trunk/Source/WTF/wtf/text/StringBuilder.h	2018-03-28 09:36:44 UTC (rev 230026)
@@ -174,7 +174,7 @@
         append(U16_TRAIL(c));
     }
 
-    WTF_EXPORT_PRIVATE void appendQuotedJSONString(const String&);
+    WTF_EXPORT_PRIVATE bool appendQuotedJSONString(const String&);
 
     template<unsigned characterCount>
     ALWAYS_INLINE void appendLiteral(const char (&characters)[characterCount]) { append(characters, characterCount - 1); }

Modified: trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp (230025 => 230026)


--- trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp	2018-03-28 09:16:15 UTC (rev 230025)
+++ trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp	2018-03-28 09:36:44 UTC (rev 230026)
@@ -74,16 +74,18 @@
     }
 }
 
-void StringBuilder::appendQuotedJSONString(const String& string)
+bool StringBuilder::appendQuotedJSONString(const String& string)
 {
     // Make sure we have enough buffer space to append this string without having
     // to worry about reallocating in the middle.
     // The 2 is for the '"' quotes on each end.
     // The 6 is for characters that need to be \uNNNN encoded.
-    Checked<unsigned> stringLength = string.length();
-    Checked<unsigned> maximumCapacityRequired = length();
+    Checked<unsigned, RecordOverflow> stringLength = string.length();
+    Checked<unsigned, RecordOverflow> maximumCapacityRequired = length();
     maximumCapacityRequired += 2 + stringLength * 6;
-    unsigned allocationSize = maximumCapacityRequired.unsafeGet();
+    unsigned allocationSize;
+    if (CheckedState::DidOverflow == maximumCapacityRequired.safeGet(allocationSize))
+        return false;
     // This max() is here to allow us to allocate sizes between the range [2^31, 2^32 - 2] because roundUpToPowerOfTwo(1<<31 + some int smaller than 1<<31) == 0.
     // FIXME: roundUpToPowerOfTwo should take Checked<unsigned> and abort if it fails to round up.
     // https://bugs.webkit.org/show_bug.cgi?id=176086
@@ -113,6 +115,7 @@
         m_length = output - m_bufferCharacters16;
     }
     ASSERT(m_buffer->length() >= m_length);
+    return true;
 }
 
 } // namespace WTF

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes