Log Message
Crash in JSC::Lexer<unsigned char>::setCode https://bugs.webkit.org/show_bug.cgi?id=172754
Reviewed by Mark Lam. JSTests: * stress/dont-reserve-huge-capacity-lexer.js: Added. (catch): Source/_javascript_Core: The lexer was asking one of its buffers to reserve initial space that was O(text size in bytes). For large sources, this would end up causing the vector to overflow and crash. This patch changes this code be like the Lexer's other buffers and to only reserve a small starting buffer. * parser/Lexer.cpp: (JSC::Lexer<T>::setCode):
Modified Paths
- trunk/JSTests/ChangeLog
- trunk/Source/_javascript_Core/ChangeLog
- trunk/Source/_javascript_Core/parser/Lexer.cpp
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (218818 => 218819)
--- trunk/JSTests/ChangeLog 2017-06-26 19:13:56 UTC (rev 218818)
+++ trunk/JSTests/ChangeLog 2017-06-26 19:34:21 UTC (rev 218819)
@@ -1,3 +1,13 @@
+2017-06-26 Saam Barati <[email protected]>
+
+ Crash in JSC::Lexer<unsigned char>::setCode
+ https://bugs.webkit.org/show_bug.cgi?id=172754
+
+ Reviewed by Mark Lam.
+
+ * stress/dont-reserve-huge-capacity-lexer.js: Added.
+ (catch):
+
2017-06-24 Yusuke Suzuki <[email protected]>
[JSC] Clean up Object.entries implementation
Added: trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js (0 => 218819)
--- trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js (rev 0)
+++ trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js 2017-06-26 19:34:21 UTC (rev 218819)
@@ -0,0 +1,15 @@
+var fe="f";
+try
+{
+ for (i=0; i<25; i++)
+ fe += fe;
+
+ var fu=new Function(
+ fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
+ fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
+ fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
+ fe, fe, fe, fe, fe, fe, fe, fe, fe, fe,
+ "done"
+ );
+} catch(e) {
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (218818 => 218819)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-26 19:13:56 UTC (rev 218818)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-26 19:34:21 UTC (rev 218819)
@@ -1,3 +1,18 @@
+2017-06-26 Saam Barati <[email protected]>
+
+ Crash in JSC::Lexer<unsigned char>::setCode
+ https://bugs.webkit.org/show_bug.cgi?id=172754
+
+ Reviewed by Mark Lam.
+
+ The lexer was asking one of its buffers to reserve initial space that
+ was O(text size in bytes). For large sources, this would end up causing
+ the vector to overflow and crash. This patch changes this code be like
+ the Lexer's other buffers and to only reserve a small starting buffer.
+
+ * parser/Lexer.cpp:
+ (JSC::Lexer<T>::setCode):
+
2017-06-26 Yusuke Suzuki <[email protected]>
[WTF] Drop Thread::create(obsolete things) API since we can use lambda
Modified: trunk/Source/_javascript_Core/parser/Lexer.cpp (218818 => 218819)
--- trunk/Source/_javascript_Core/parser/Lexer.cpp 2017-06-26 19:13:56 UTC (rev 218818)
+++ trunk/Source/_javascript_Core/parser/Lexer.cpp 2017-06-26 19:34:21 UTC (rev 218819)
@@ -564,7 +564,7 @@
m_sourceMappingURLDirective = String();
m_buffer8.reserveInitialCapacity(initialReadBufferCapacity);
- m_buffer16.reserveInitialCapacity((m_codeEnd - m_code) / 2);
+ m_buffer16.reserveInitialCapacity(initialReadBufferCapacity);
m_bufferForRawTemplateString16.reserveInitialCapacity(initialReadBufferCapacity);
if (LIKELY(m_code < m_codeEnd))
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
