Title: [239375] trunk
- Revision
- 239375
- Author
- [email protected]
- Date
- 2018-12-19 03:33:12 -0800 (Wed, 19 Dec 2018)
Log Message
String overflow in JSC::createError results in ASSERT in WTF::makeString
https://bugs.webkit.org/show_bug.cgi?id=192833
<rdar://problem/45706868>
Reviewed by Mark Lam.
JSTests:
* stress/string-overflow-createError.js: Added.
Source/_javascript_Core:
JSC::createError was calling WTF::makeString which would result in an
assertion failure when the string was too big. Change it to call
WTF::tryMakeString instead and return an OutOfMemory error if we fail
to create the error string.
* runtime/ExceptionHelpers.cpp:
(JSC::createError):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (239374 => 239375)
--- trunk/JSTests/ChangeLog 2018-12-19 11:20:16 UTC (rev 239374)
+++ trunk/JSTests/ChangeLog 2018-12-19 11:33:12 UTC (rev 239375)
@@ -1,3 +1,13 @@
+2018-12-19 Tadeu Zagallo <[email protected]>
+
+ String overflow in JSC::createError results in ASSERT in WTF::makeString
+ https://bugs.webkit.org/show_bug.cgi?id=192833
+ <rdar://problem/45706868>
+
+ Reviewed by Mark Lam.
+
+ * stress/string-overflow-createError.js: Added.
+
2018-12-18 Ross Kirsling <[email protected]>
Error message for `-x ** y` contains a typo.
Added: trunk/JSTests/stress/string-overflow-createError.js (0 => 239375)
--- trunk/JSTests/stress/string-overflow-createError.js (rev 0)
+++ trunk/JSTests/stress/string-overflow-createError.js 2018-12-19 11:33:12 UTC (rev 239375)
@@ -0,0 +1,11 @@
+var exception;
+try {
+ bar = '2.3023e-320'
+ foo = bar.padEnd(2147483644, 1);
+ foo(true, 1).value;
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (239374 => 239375)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-19 11:20:16 UTC (rev 239374)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-19 11:33:12 UTC (rev 239375)
@@ -1,3 +1,19 @@
+2018-12-19 Tadeu Zagallo <[email protected]>
+
+ String overflow in JSC::createError results in ASSERT in WTF::makeString
+ https://bugs.webkit.org/show_bug.cgi?id=192833
+ <rdar://problem/45706868>
+
+ Reviewed by Mark Lam.
+
+ JSC::createError was calling WTF::makeString which would result in an
+ assertion failure when the string was too big. Change it to call
+ WTF::tryMakeString instead and return an OutOfMemory error if we fail
+ to create the error string.
+
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::createError):
+
2018-12-18 Ross Kirsling <[email protected]>
Error message for `-x ** y` contains a typo.
Modified: trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp (239374 => 239375)
--- trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2018-12-19 11:20:16 UTC (rev 239374)
+++ trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2018-12-19 11:33:12 UTC (rev 239375)
@@ -267,7 +267,9 @@
VM& vm = exec->vm();
auto scope = DECLARE_CATCH_SCOPE(vm);
- String errorMessage = makeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message);
+ String errorMessage = tryMakeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message);
+ if (errorMessage.isNull())
+ return createOutOfMemoryError(exec);
scope.assertNoException();
JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(vm, value));
ASSERT(exception->isErrorInstance());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
