Title: [253441] trunk
- Revision
- 253441
- Author
- [email protected]
- Date
- 2019-12-12 11:19:30 -0800 (Thu, 12 Dec 2019)
Log Message
Fix missing exception check in JSON Stringifier's gap function.
https://bugs.webkit.org/show_bug.cgi?id=205171
<rdar://problem/57871842>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/missing-exception-check-in-json-stringifier-gap.js: Added.
Source/_javascript_Core:
* runtime/JSONObject.cpp:
(JSC::gap):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (253440 => 253441)
--- trunk/JSTests/ChangeLog 2019-12-12 19:09:12 UTC (rev 253440)
+++ trunk/JSTests/ChangeLog 2019-12-12 19:19:30 UTC (rev 253441)
@@ -1,5 +1,15 @@
2019-12-12 Mark Lam <[email protected]>
+ Fix missing exception check in JSON Stringifier's gap function.
+ https://bugs.webkit.org/show_bug.cgi?id=205171
+ <rdar://problem/57871842>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/missing-exception-check-in-json-stringifier-gap.js: Added.
+
+2019-12-12 Mark Lam <[email protected]>
+
DFG and FTL expects String.prototype to not qualify for StringObjectUse.
https://bugs.webkit.org/show_bug.cgi?id=205147
<rdar://problem/57748888>
Added: trunk/JSTests/stress/missing-exception-check-in-json-stringifier-gap.js (0 => 253441)
--- trunk/JSTests/stress/missing-exception-check-in-json-stringifier-gap.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-json-stringifier-gap.js 2019-12-12 19:19:30 UTC (rev 253441)
@@ -0,0 +1,13 @@
+//@ skip if $memoryLimited
+//@ runDefault
+
+const s0 = (10).toLocaleString();
+const s1 = s0.padStart(2**31-1, 'aa');
+try {
+ JSON.stringify(0, undefined, s1);
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (253440 => 253441)
--- trunk/Source/_javascript_Core/ChangeLog 2019-12-12 19:09:12 UTC (rev 253440)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-12-12 19:19:30 UTC (rev 253441)
@@ -1,5 +1,16 @@
2019-12-12 Mark Lam <[email protected]>
+ Fix missing exception check in JSON Stringifier's gap function.
+ https://bugs.webkit.org/show_bug.cgi?id=205171
+ <rdar://problem/57871842>
+
+ Reviewed by Yusuke Suzuki.
+
+ * runtime/JSONObject.cpp:
+ (JSC::gap):
+
+2019-12-12 Mark Lam <[email protected]>
+
DFG and FTL expects String.prototype to not qualify for StringObjectUse.
https://bugs.webkit.org/show_bug.cgi?id=205147
<rdar://problem/57748888>
Modified: trunk/Source/_javascript_Core/runtime/JSONObject.cpp (253440 => 253441)
--- trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2019-12-12 19:09:12 UTC (rev 253440)
+++ trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2019-12-12 19:19:30 UTC (rev 253441)
@@ -185,6 +185,7 @@
// If the space value is a string, use it as the gap string, otherwise use no gap string.
String spaces = space.getString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
if (spaces.length() <= maxGapLength)
return spaces;
return spaces.substringSharingImpl(0, maxGapLength);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
