Title: [249164] trunk
Revision
249164
Author
mark....@apple.com
Date
2019-08-27 13:10:40 -0700 (Tue, 27 Aug 2019)

Log Message

constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
https://bugs.webkit.org/show_bug.cgi?id=201196
<rdar://problem/54703775>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.

Source/_javascript_Core:

* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (249163 => 249164)


--- trunk/JSTests/ChangeLog	2019-08-27 20:00:31 UTC (rev 249163)
+++ trunk/JSTests/ChangeLog	2019-08-27 20:10:40 UTC (rev 249164)
@@ -1,3 +1,13 @@
+2019-08-27  Mark Lam  <mark....@apple.com>
+
+        constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
+        https://bugs.webkit.org/show_bug.cgi?id=201196
+        <rdar://problem/54703775>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js: Added.
+
 2019-08-26  Ross Kirsling  <ross.kirsl...@sony.com>
 
         [JSC] Ensure x?.y ?? z is fast

Added: trunk/JSTests/stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js (0 => 249164)


--- trunk/JSTests/stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js	                        (rev 0)
+++ trunk/JSTests/stress/constructFunctionSkippingEvalEnabledCheck-should-throw-out-of-memory-error.js	2019-08-27 20:10:40 UTC (rev 249164)
@@ -0,0 +1,10 @@
+var exception;
+try {
+    Function('a'.repeat(2147483623));
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "Error: Out of memory")
+    throw "FAILED";
+

Modified: trunk/Source/_javascript_Core/ChangeLog (249163 => 249164)


--- trunk/Source/_javascript_Core/ChangeLog	2019-08-27 20:00:31 UTC (rev 249163)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-08-27 20:10:40 UTC (rev 249164)
@@ -1,3 +1,14 @@
+2019-08-27  Mark Lam  <mark....@apple.com>
+
+        constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
+        https://bugs.webkit.org/show_bug.cgi?id=201196
+        <rdar://problem/54703775>
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+
 2019-08-27  Keith Miller  <keith_mil...@apple.com>
 
         When dumping Air Graphs BBQ should dump patchpoints.

Modified: trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp (249163 => 249164)


--- trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp	2019-08-27 20:00:31 UTC (rev 249163)
+++ trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp	2019-08-27 20:10:40 UTC (rev 249164)
@@ -109,7 +109,11 @@
     else if (args.size() == 1) {
         auto body = args.at(0).toWTFString(exec);
         RETURN_IF_EXCEPTION(scope, nullptr);
-        program = makeString(prefix, functionName.string(), "() {\n", body, "\n}");
+        program = tryMakeString(prefix, functionName.string(), "() {\n", body, "\n}");
+        if (UNLIKELY(!program)) {
+            throwOutOfMemoryError(exec, scope);
+            return nullptr;
+        }
     } else {
         StringBuilder builder(StringBuilder::OverflowHandler::RecordOverflow);
         builder.append(prefix, functionName.string(), '(');
@@ -122,7 +126,7 @@
             RETURN_IF_EXCEPTION(scope, nullptr);
             builder.append(", ", viewWithString.view);
         }
-        if (builder.hasOverflowed()) {
+        if (UNLIKELY(builder.hasOverflowed())) {
             throwOutOfMemoryError(exec, scope);
             return nullptr;
         }
@@ -132,7 +136,7 @@
         auto body = args.at(args.size() - 1).toString(exec)->viewWithUnderlyingString(exec);
         RETURN_IF_EXCEPTION(scope, nullptr);
         builder.append(") {\n", body.view, "\n}");
-        if (builder.hasOverflowed()) {
+        if (UNLIKELY(builder.hasOverflowed())) {
             throwOutOfMemoryError(exec, scope);
             return nullptr;
         }
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to