Title: [88444] trunk/Source
- Revision
- 88444
- Author
- [email protected]
- Date
- 2011-06-09 05:42:40 -0700 (Thu, 09 Jun 2011)
Log Message
2011-06-08 Mikołaj Małecki <[email protected]>
Reviewed by Pavel Feldman.
Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
https://bugs.webkit.org/show_bug.cgi?id=52791
No new tests. The problem can be reproduced by trying to create InspectorValue
from 1.0e-100 and call ->toJSONString() on this.
* _javascript_Core.exp:
* _javascript_Core.vcproj/_javascript_Core/_javascript_Core.def:
export 2 functions DecimalNumber::bufferLengthForStringExponential and
DecimalNumber::toStringExponential.
2011-06-08 Mikołaj Małecki <[email protected]>
Reviewed by Pavel Feldman.
Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
https://bugs.webkit.org/show_bug.cgi?id=52791
No new tests. The problem can be reproduced by trying to create InspectorValue
from 1.0e-100 and call ->toJSONString() on this.
* _javascript_Core.exp:
* _javascript_Core.vcproj/_javascript_Core/_javascript_Core.def:
export 2 functions DecimalNumber::bufferLengthForStringExponential and
DecimalNumber::toStringExponential.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (88443 => 88444)
--- trunk/Source/_javascript_Core/ChangeLog 2011-06-09 12:09:14 UTC (rev 88443)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-06-09 12:42:40 UTC (rev 88444)
@@ -1,3 +1,18 @@
+2011-06-08 Mikołaj Małecki <[email protected]>
+
+ Reviewed by Pavel Feldman.
+
+ Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+ https://bugs.webkit.org/show_bug.cgi?id=52791
+
+ No new tests. The problem can be reproduced by trying to create InspectorValue
+ from 1.0e-100 and call ->toJSONString() on this.
+
+ * _javascript_Core.exp:
+ * _javascript_Core.vcproj/_javascript_Core/_javascript_Core.def:
+ export 2 functions DecimalNumber::bufferLengthForStringExponential and
+ DecimalNumber::toStringExponential.
+
2011-06-08 Sheriff Bot <[email protected]>
Unreviewed, rolling out r88404.
Modified: trunk/Source/_javascript_Core/_javascript_Core.exp (88443 => 88444)
--- trunk/Source/_javascript_Core/_javascript_Core.exp 2011-06-09 12:09:14 UTC (rev 88443)
+++ trunk/Source/_javascript_Core/_javascript_Core.exp 2011-06-09 12:42:40 UTC (rev 88444)
@@ -572,7 +572,9 @@
__ZNK3JSC9HashTable11deleteTableEv
__ZNK3WTF12AtomicString5lowerEv
__ZNK3WTF13DecimalNumber15toStringDecimalEPtj
+__ZNK3WTF13DecimalNumber19toStringExponentialEPtj
__ZNK3WTF13DecimalNumber28bufferLengthForStringDecimalEv
+__ZNK3WTF13DecimalNumber32bufferLengthForStringExponentialEv
__ZNK3WTF6String11toIntStrictEPbi
__ZNK3WTF6String12toUIntStrictEPbi
__ZNK3WTF6String13toInt64StrictEPbi
Modified: trunk/Source/_javascript_Core/_javascript_Core.vcproj/_javascript_Core/_javascript_Core.def (88443 => 88444)
--- trunk/Source/_javascript_Core/_javascript_Core.vcproj/_javascript_Core/_javascript_Core.def 2011-06-09 12:09:14 UTC (rev 88443)
+++ trunk/Source/_javascript_Core/_javascript_Core.vcproj/_javascript_Core/_javascript_Core.def 2011-06-09 12:42:40 UTC (rev 88444)
@@ -65,6 +65,7 @@
?attach@Debugger@JSC@@QAEXPAVJSGlobalObject@2@@Z
?broadcast@ThreadCondition@WTF@@QAEXXZ
?bufferLengthForStringDecimal@DecimalNumber@WTF@@QBEIXZ
+ ?bufferLengthForStringExponential@DecimalNumber@WTF@@QBEIXZ
?byteCompile@Yarr@JSC@@YA?AV?$PassOwnPtr@UBytecodePattern@Yarr@JSC@@@WTF@@AAUYarrPattern@12@PAVBumpPointerAllocator@4@@Z
?byteSize@SourceProviderCache@JSC@@QBEIXZ
?calculateDSTOffset@WTF@@YANNN@Z
@@ -349,6 +350,7 @@
?toString@JSObject@JSC@@UBE?AVUString@2@PAVExecState@2@@Z
?toString@JSString@JSC@@EBE?AVUString@2@PAVExecState@2@@Z
?toStringDecimal@DecimalNumber@WTF@@QBEIPA_WI@Z
+ ?toStringExponential@DecimalNumber@WTF@@QBEIPA_WI@Z
?toThisObject@JSCell@JSC@@UBEPAVJSObject@2@PAVExecState@2@@Z
?toThisObject@JSObject@JSC@@UBEPAV12@PAVExecState@2@@Z
?toThisObject@JSString@JSC@@EBEPAVJSObject@2@PAVExecState@2@@Z
Modified: trunk/Source/WebCore/ChangeLog (88443 => 88444)
--- trunk/Source/WebCore/ChangeLog 2011-06-09 12:09:14 UTC (rev 88443)
+++ trunk/Source/WebCore/ChangeLog 2011-06-09 12:42:40 UTC (rev 88444)
@@ -1,3 +1,18 @@
+2011-06-08 Mikołaj Małecki <[email protected]>
+
+ Reviewed by Pavel Feldman.
+
+ Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+ https://bugs.webkit.org/show_bug.cgi?id=52791
+
+ No new tests. The problem can be reproduced by trying to create InspectorValue
+ from 1.0e-100 and call ->toJSONString() on this.
+
+ * inspector/InspectorValues.cpp:
+ (WebCore::InspectorBasicValue::writeJSON):
+ Added checking the predicted buffer size and choosing exponential format, or
+ eventually "NaN" if the buffer is too small for decimal format.
+
2011-06-09 Sheriff Bot <[email protected]>
Unreviewed, rolling out r88387.
Modified: trunk/Source/WebCore/inspector/InspectorValues.cpp (88443 => 88444)
--- trunk/Source/WebCore/inspector/InspectorValues.cpp 2011-06-09 12:09:14 UTC (rev 88443)
+++ trunk/Source/WebCore/inspector/InspectorValues.cpp 2011-06-09 12:42:40 UTC (rev 88444)
@@ -620,7 +620,18 @@
output->append(falseString, 5);
} else if (type() == TypeNumber) {
NumberToStringBuffer buffer;
- unsigned length = DecimalNumber(m_doubleValue).toStringDecimal(buffer, WTF::NumberToStringBufferLength);
+ DecimalNumber decimal = m_doubleValue;
+ unsigned length = 0;
+ if (decimal.bufferLengthForStringDecimal() > WTF::NumberToStringBufferLength) {
+ // Not enough room for decimal. Use exponential format.
+ if (decimal.bufferLengthForStringExponential() > WTF::NumberToStringBufferLength) {
+ // Fallback for an abnormal case if it's too little even for exponential.
+ output->append("NaN", 3);
+ return;
+ }
+ length = decimal.toStringExponential(buffer, WTF::NumberToStringBufferLength);
+ } else
+ length = decimal.toStringDecimal(buffer, WTF::NumberToStringBufferLength);
output->append(buffer, length);
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
