Title: [231542] branches/safari-605-branch
- Revision
- 231542
- Author
- [email protected]
- Date
- 2018-05-08 22:01:17 -0700 (Tue, 08 May 2018)
Log Message
Cherry-pick r230863. rdar://problem/40050818
Handle more JSON stringify OOM
https://bugs.webkit.org/show_bug.cgi?id=184846
<rdar://problem/39390672>
Reviewed by Mark Lam.
JSTests:
* stress/json-stringified-overflow-2.js: Added. Same as the one
below, but with a bigger input which will trigger a different code
path.
(catch):
* stress/json-stringified-overflow.js: Modify the test to only
catch OOM on stringification. not on string creation.
Source/WTF:
JSON stringification can OOM easily. Here's another case.
* wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230863 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (231541 => 231542)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-05-09 05:01:14 UTC (rev 231541)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-05-09 05:01:17 UTC (rev 231542)
@@ -1,5 +1,48 @@
2018-05-08 Jason Marcell <[email protected]>
+ Cherry-pick r230863. rdar://problem/40050818
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/json-stringified-overflow-2.js: Added. Same as the one
+ below, but with a bigger input which will trigger a different code
+ path.
+ (catch):
+ * stress/json-stringified-overflow.js: Modify the test to only
+ catch OOM on stringification. not on string creation.
+
+ Source/WTF:
+
+ JSON stringification can OOM easily. Here's another case.
+
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230863 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-20 JF Bastien <[email protected]>
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ * stress/json-stringified-overflow-2.js: Added. Same as the one
+ below, but with a bigger input which will trigger a different code
+ path.
+ (catch):
+ * stress/json-stringified-overflow.js: Modify the test to only
+ catch OOM on stringification. not on string creation.
+
+2018-05-08 Jason Marcell <[email protected]>
+
Cherry-pick r230980. rdar://problem/40050820
fromCharCode is missing some exception checks
Added: branches/safari-605-branch/JSTests/stress/json-stringified-overflow-2.js (0 => 231542)
--- branches/safari-605-branch/JSTests/stress/json-stringified-overflow-2.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/json-stringified-overflow-2.js 2018-05-09 05:01:17 UTC (rev 231542)
@@ -0,0 +1,5 @@
+//@ skip if $memoryLimited
+const s = "a".padStart(0x80000000 - 1);
+try {
+ JSON.stringify(s);
+} catch (e) {}
Modified: branches/safari-605-branch/JSTests/stress/json-stringified-overflow.js (231541 => 231542)
--- branches/safari-605-branch/JSTests/stress/json-stringified-overflow.js 2018-05-09 05:01:14 UTC (rev 231541)
+++ branches/safari-605-branch/JSTests/stress/json-stringified-overflow.js 2018-05-09 05:01:17 UTC (rev 231542)
@@ -1,3 +1,5 @@
+//@ skip if $memoryLimited
+const s = "123".padStart(1073741823);
try {
- JSON.stringify("123".padStart(1073741823))
+ JSON.stringify(s);
} catch (e) {}
Modified: branches/safari-605-branch/Source/WTF/ChangeLog (231541 => 231542)
--- branches/safari-605-branch/Source/WTF/ChangeLog 2018-05-09 05:01:14 UTC (rev 231541)
+++ branches/safari-605-branch/Source/WTF/ChangeLog 2018-05-09 05:01:17 UTC (rev 231542)
@@ -1,3 +1,44 @@
+2018-05-08 Jason Marcell <[email protected]>
+
+ Cherry-pick r230863. rdar://problem/40050818
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/json-stringified-overflow-2.js: Added. Same as the one
+ below, but with a bigger input which will trigger a different code
+ path.
+ (catch):
+ * stress/json-stringified-overflow.js: Modify the test to only
+ catch OOM on stringification. not on string creation.
+
+ Source/WTF:
+
+ JSON stringification can OOM easily. Here's another case.
+
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230863 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-20 JF Bastien <[email protected]>
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ JSON stringification can OOM easily. Here's another case.
+
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
2018-04-03 Jason Marcell <[email protected]>
Cherry-pick r230026. rdar://problem/39155085
Modified: branches/safari-605-branch/Source/WTF/wtf/text/StringBuilderJSON.cpp (231541 => 231542)
--- branches/safari-605-branch/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-05-09 05:01:14 UTC (rev 231541)
+++ branches/safari-605-branch/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-05-09 05:01:17 UTC (rev 231542)
@@ -91,6 +91,10 @@
// https://bugs.webkit.org/show_bug.cgi?id=176086
allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
+ // Allocating this much will definitely fail.
+ if (allocationSize >= 0x80000000)
+ return false;
+
if (is8Bit() && !string.is8Bit())
allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
else
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
