Diff
Modified: trunk/JSTests/ChangeLog (224054 => 224055)
--- trunk/JSTests/ChangeLog 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/JSTests/ChangeLog 2017-10-26 22:36:04 UTC (rev 224055)
@@ -1,3 +1,13 @@
+2017-10-26 Mark Lam <[email protected]>
+
+ JSRopeString::RopeBuilder::append() should check for overflows.
+ https://bugs.webkit.org/show_bug.cgi?id=178385
+ <rdar://problem/35027468>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-178385.js: Added.
+
2017-10-26 Ryan Haddad <[email protected]>
Unreviewed, rolling out r223961.
Added: trunk/JSTests/stress/regress-178385.js (0 => 224055)
--- trunk/JSTests/stress/regress-178385.js (rev 0)
+++ trunk/JSTests/stress/regress-178385.js 2017-10-26 22:36:04 UTC (rev 224055)
@@ -0,0 +1,14 @@
+
+var exception;
+try {
+ var str0 = new String('@hBg');
+ var collat3 = new Intl.Collator();
+ str10 = str0.padEnd(0x7FFFFFFC, 1);
+ collat3[Symbol.toStringTag] = str10;
+ collat3.toLocaleString();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (224054 => 224055)
--- trunk/Source/_javascript_Core/ChangeLog 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-10-26 22:36:04 UTC (rev 224055)
@@ -1,3 +1,24 @@
+2017-10-26 Mark Lam <[email protected]>
+
+ JSRopeString::RopeBuilder::append() should check for overflows.
+ https://bugs.webkit.org/show_bug.cgi?id=178385
+ <rdar://problem/35027468>
+
+ Reviewed by Saam Barati.
+
+ 1. Made RopeString check for overflow like the Checked class does.
+ 2. Added a missing overflow check in objectProtoFuncToString().
+
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
+ (JSC::JSRopeString::RopeBuilder::expand): Deleted.
+ * runtime/JSString.h:
+ * runtime/ObjectPrototype.cpp:
+ (JSC::objectProtoFuncToString):
+ * runtime/Operations.h:
+ (JSC::jsStringFromRegisterArray):
+ (JSC::jsStringFromArguments):
+
2017-10-26 JF Bastien <[email protected]>
WebAssembly: no VM / JS version of our implementation
Modified: trunk/Source/_javascript_Core/runtime/JSString.cpp (224054 => 224055)
--- trunk/Source/_javascript_Core/runtime/JSString.cpp 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/_javascript_Core/runtime/JSString.cpp 2017-10-26 22:36:04 UTC (rev 224055)
@@ -40,11 +40,12 @@
return Structure::create(vm, globalObject, proto, TypeInfo(StringType, StructureFlags), info());
}
-void JSRopeString::RopeBuilder::expand()
+template<>
+void JSRopeString::RopeBuilder<RecordOverflow>::expand()
{
+ RELEASE_ASSERT(!this->hasOverflowed());
ASSERT(m_index == JSRopeString::s_maxInternalRopeLength);
JSString* jsString = m_jsString;
- RELEASE_ASSERT(jsString);
m_jsString = jsStringBuilder(&m_vm);
m_index = 0;
append(jsString);
Modified: trunk/Source/_javascript_Core/runtime/JSString.h (224054 => 224055)
--- trunk/Source/_javascript_Core/runtime/JSString.h 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/_javascript_Core/runtime/JSString.h 2017-10-26 22:36:04 UTC (rev 224055)
@@ -30,6 +30,7 @@
#include "Structure.h"
#include "ThrowScope.h"
#include <array>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/text/StringView.h>
namespace JSC {
@@ -242,7 +243,8 @@
friend JSRopeString* jsStringBuilder(VM*);
public:
- class RopeBuilder {
+ template <class OverflowHandler = CrashOnOverflow>
+ class RopeBuilder : public OverflowHandler {
public:
RopeBuilder(VM& vm)
: m_vm(vm)
@@ -253,10 +255,12 @@
bool append(JSString* jsString)
{
+ if (UNLIKELY(this->hasOverflowed()))
+ return false;
if (m_index == JSRopeString::s_maxInternalRopeLength)
expand();
if (static_cast<int32_t>(m_jsString->length() + jsString->length()) < 0) {
- m_jsString = nullptr;
+ this->overflowed();
return false;
}
m_jsString->append(m_vm, m_index++, jsString);
@@ -265,13 +269,17 @@
JSRopeString* release()
{
- RELEASE_ASSERT(m_jsString);
+ RELEASE_ASSERT(!this->hasOverflowed());
JSRopeString* tmp = m_jsString;
- m_jsString = 0;
+ m_jsString = nullptr;
return tmp;
}
- unsigned length() const { return m_jsString->length(); }
+ unsigned length() const
+ {
+ ASSERT(!this->hasOverflowed());
+ return m_jsString->length();
+ }
private:
void expand();
Modified: trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp (224054 => 224055)
--- trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2017-10-26 22:36:04 UTC (rev 224055)
@@ -334,12 +334,14 @@
JSValue stringTag = toStringTagSlot.getValue(exec, toStringTagSymbol);
RETURN_IF_EXCEPTION(scope, { });
if (stringTag.isString()) {
- JSRopeString::RopeBuilder ropeBuilder(vm);
+ JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(vm);
ropeBuilder.append(vm.smallStrings.objectStringStart());
ropeBuilder.append(asString(stringTag));
ropeBuilder.append(vm.smallStrings.singleCharacterString(']'));
+ if (ropeBuilder.hasOverflowed())
+ return throwOutOfMemoryError(exec, scope);
+
JSString* result = ropeBuilder.release();
-
thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
return result;
}
Modified: trunk/Source/_javascript_Core/runtime/Operations.h (224054 => 224055)
--- trunk/Source/_javascript_Core/runtime/Operations.h 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/_javascript_Core/runtime/Operations.h 2017-10-26 22:36:04 UTC (rev 224055)
@@ -122,7 +122,7 @@
{
VM* vm = &exec->vm();
auto scope = DECLARE_THROW_SCOPE(*vm);
- JSRopeString::RopeBuilder ropeBuilder(*vm);
+ JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(*vm);
for (unsigned i = 0; i < count; ++i) {
JSValue v = strings[-static_cast<int>(i)].jsValue();
@@ -139,7 +139,7 @@
{
VM* vm = &exec->vm();
auto scope = DECLARE_THROW_SCOPE(*vm);
- JSRopeString::RopeBuilder ropeBuilder(*vm);
+ JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(*vm);
JSString* str = thisValue.toString(exec);
RETURN_IF_EXCEPTION(scope, { });
ropeBuilder.append(str);
Modified: trunk/Source/WTF/ChangeLog (224054 => 224055)
--- trunk/Source/WTF/ChangeLog 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/WTF/ChangeLog 2017-10-26 22:36:04 UTC (rev 224055)
@@ -1,3 +1,13 @@
+2017-10-26 Mark Lam <[email protected]>
+
+ JSRopeString::RopeBuilder::append() should check for overflows.
+ https://bugs.webkit.org/show_bug.cgi?id=178385
+ <rdar://problem/35027468>
+
+ Reviewed by Saam Barati.
+
+ * wtf/CheckedArithmetic.h:
+
2017-10-25 Commit Queue <[email protected]>
Unreviewed, rolling out r222945.
Modified: trunk/Source/WTF/wtf/CheckedArithmetic.h (224054 => 224055)
--- trunk/Source/WTF/wtf/CheckedArithmetic.h 2017-10-26 22:25:06 UTC (rev 224054)
+++ trunk/Source/WTF/wtf/CheckedArithmetic.h 2017-10-26 22:36:04 UTC (rev 224055)
@@ -834,7 +834,6 @@
using WTF::Checked;
using WTF::CheckedState;
-using WTF::RecordOverflow;
using WTF::CheckedInt8;
using WTF::CheckedUint8;
using WTF::CheckedInt16;
@@ -844,6 +843,8 @@
using WTF::CheckedInt64;
using WTF::CheckedUint64;
using WTF::CheckedSize;
+using WTF::CrashOnOverflow;
+using WTF::RecordOverflow;
using WTF::checkedSum;
using WTF::differenceOverflows;
using WTF::productOverflows;
