Title: [230863] trunk
- Revision
- 230863
- Author
- jfbast...@apple.com
- Date
- 2018-04-20 16:18:23 -0700 (Fri, 20 Apr 2018)
Log Message
Handle more JSON stringify OOM
https://bugs.webkit.org/show_bug.cgi?id=184846
<rdar://problem/39390672>
Reviewed by Mark Lam.
JSTests:
* stress/json-stringified-overflow-2.js: Added. Same as the one
below, but with a bigger input which will trigger a different code
path.
(catch):
* stress/json-stringified-overflow.js: Modify the test to only
catch OOM on stringification. not on string creation.
Source/WTF:
JSON stringification can OOM easily. Here's another case.
* wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (230862 => 230863)
--- trunk/JSTests/ChangeLog 2018-04-20 22:57:54 UTC (rev 230862)
+++ trunk/JSTests/ChangeLog 2018-04-20 23:18:23 UTC (rev 230863)
@@ -1,3 +1,18 @@
+2018-04-20 JF Bastien <jfbast...@apple.com>
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ * stress/json-stringified-overflow-2.js: Added. Same as the one
+ below, but with a bigger input which will trigger a different code
+ path.
+ (catch):
+ * stress/json-stringified-overflow.js: Modify the test to only
+ catch OOM on stringification. not on string creation.
+
2018-04-18 Yusuke Suzuki <utatane....@gmail.com>
[WebAssembly][Modules] Import tables in wasm modules
Added: trunk/JSTests/stress/json-stringified-overflow-2.js (0 => 230863)
--- trunk/JSTests/stress/json-stringified-overflow-2.js (rev 0)
+++ trunk/JSTests/stress/json-stringified-overflow-2.js 2018-04-20 23:18:23 UTC (rev 230863)
@@ -0,0 +1,5 @@
+//@ skip if $memoryLimited
+const s = "a".padStart(0x80000000 - 1);
+try {
+ JSON.stringify(s);
+} catch (e) {}
Modified: trunk/JSTests/stress/json-stringified-overflow.js (230862 => 230863)
--- trunk/JSTests/stress/json-stringified-overflow.js 2018-04-20 22:57:54 UTC (rev 230862)
+++ trunk/JSTests/stress/json-stringified-overflow.js 2018-04-20 23:18:23 UTC (rev 230863)
@@ -1,4 +1,5 @@
//@ skip if $memoryLimited
+const s = "123".padStart(1073741823);
try {
- JSON.stringify("123".padStart(1073741823))
+ JSON.stringify(s);
} catch (e) {}
Modified: trunk/Source/WTF/ChangeLog (230862 => 230863)
--- trunk/Source/WTF/ChangeLog 2018-04-20 22:57:54 UTC (rev 230862)
+++ trunk/Source/WTF/ChangeLog 2018-04-20 23:18:23 UTC (rev 230863)
@@ -1,3 +1,16 @@
+2018-04-20 JF Bastien <jfbast...@apple.com>
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ JSON stringification can OOM easily. Here's another case.
+
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
2018-04-18 Jer Noble <jer.no...@apple.com>
Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
Modified: trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp (230862 => 230863)
--- trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-04-20 22:57:54 UTC (rev 230862)
+++ trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-04-20 23:18:23 UTC (rev 230863)
@@ -91,6 +91,10 @@
// https://bugs.webkit.org/show_bug.cgi?id=176086
allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
+ // Allocating this much will definitely fail.
+ if (allocationSize >= 0x80000000)
+ return false;
+
if (is8Bit() && !string.is8Bit())
allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
else
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
