Title: [234404] releases/WebKitGTK/webkit-2.20
- Revision
- 234404
- Author
- [email protected]
- Date
- 2018-07-31 00:00:43 -0700 (Tue, 31 Jul 2018)
Log Message
Merge r230863 - Handle more JSON stringify OOM
https://bugs.webkit.org/show_bug.cgi?id=184846
<rdar://problem/39390672>
Reviewed by Mark Lam.
JSTests:
* stress/json-stringified-overflow-2.js: Added. Same as the one
below, but with a bigger input which will trigger a different code
path.
(catch):
* stress/json-stringified-overflow.js: Modify the test to only
catch OOM on stringification. not on string creation.
Source/WTF:
JSON stringification can OOM easily. Here's another case.
* wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (234403 => 234404)
--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog 2018-07-31 07:00:37 UTC (rev 234403)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog 2018-07-31 07:00:43 UTC (rev 234404)
@@ -1,3 +1,18 @@
+2018-04-20 JF Bastien <[email protected]>
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ * stress/json-stringified-overflow-2.js: Added. Same as the one
+ below, but with a bigger input which will trigger a different code
+ path.
+ (catch):
+ * stress/json-stringified-overflow.js: Modify the test to only
+ catch OOM on stringification. not on string creation.
+
2018-04-17 JF Bastien <[email protected]>
A put is not an ExistingProperty put when we transition a structure because of an attributes change
Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/json-stringified-overflow-2.js (0 => 234404)
--- releases/WebKitGTK/webkit-2.20/JSTests/stress/json-stringified-overflow-2.js (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/json-stringified-overflow-2.js 2018-07-31 07:00:43 UTC (rev 234404)
@@ -0,0 +1,5 @@
+//@ skip if $memoryLimited
+const s = "a".padStart(0x80000000 - 1);
+try {
+ JSON.stringify(s);
+} catch (e) {}
Modified: releases/WebKitGTK/webkit-2.20/JSTests/stress/json-stringified-overflow.js (234403 => 234404)
--- releases/WebKitGTK/webkit-2.20/JSTests/stress/json-stringified-overflow.js 2018-07-31 07:00:37 UTC (rev 234403)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/json-stringified-overflow.js 2018-07-31 07:00:43 UTC (rev 234404)
@@ -1,3 +1,5 @@
+//@ skip if $memoryLimited
+const s = "123".padStart(1073741823);
try {
- JSON.stringify("123".padStart(1073741823))
+ JSON.stringify(s);
} catch (e) {}
Modified: releases/WebKitGTK/webkit-2.20/Source/WTF/ChangeLog (234403 => 234404)
--- releases/WebKitGTK/webkit-2.20/Source/WTF/ChangeLog 2018-07-31 07:00:37 UTC (rev 234403)
+++ releases/WebKitGTK/webkit-2.20/Source/WTF/ChangeLog 2018-07-31 07:00:43 UTC (rev 234404)
@@ -1,3 +1,16 @@
+2018-04-20 JF Bastien <[email protected]>
+
+ Handle more JSON stringify OOM
+ https://bugs.webkit.org/show_bug.cgi?id=184846
+ <rdar://problem/39390672>
+
+ Reviewed by Mark Lam.
+
+ JSON stringification can OOM easily. Here's another case.
+
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
2018-04-04 Yusuke Suzuki <[email protected]>
[WTF] Remove Atomics.cpp
Modified: releases/WebKitGTK/webkit-2.20/Source/WTF/wtf/text/StringBuilderJSON.cpp (234403 => 234404)
--- releases/WebKitGTK/webkit-2.20/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-07-31 07:00:37 UTC (rev 234403)
+++ releases/WebKitGTK/webkit-2.20/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-07-31 07:00:43 UTC (rev 234404)
@@ -91,6 +91,10 @@
// https://bugs.webkit.org/show_bug.cgi?id=176086
allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
+ // Allocating this much will definitely fail.
+ if (allocationSize >= 0x80000000)
+ return false;
+
if (is8Bit() && !string.is8Bit())
allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
else
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
