Skip to site navigation (Press enter)

[webkit-changes] [263889] trunk

ysuzuki Fri, 03 Jul 2020 02:20:19 -0700

Title: [263889] trunk

Revision: 263889
Author: [email protected]
Date: 2020-07-03 02:18:46 -0700 (Fri, 03 Jul 2020)

Log Message

[JSC] Add exception checks in JSStringBuilder and Array#join
https://bugs.webkit.org/show_bug.cgi?id=213915
<rdar://problem/64878225>


Reviewed by Saam Barati and Mark Lam.

JSTests:

* stress/out-of-memory-handle-in-join.js: Added.
(shouldThrow):

Source/_javascript_Core:

This patch adds missing exception checks into Array#join's certain place and JSStringBuilder.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
* runtime/JSStringJoiner.h:
(JSC::JSStringJoiner::append):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp
trunk/Source/_javascript_Core/runtime/JSStringJoiner.h

Added Paths

trunk/JSTests/stress/out-of-memory-handle-in-join.js

Diff

Modified: trunk/JSTests/ChangeLog (263888 => 263889)


--- trunk/JSTests/ChangeLog	2020-07-03 09:06:00 UTC (rev 263888)
+++ trunk/JSTests/ChangeLog	2020-07-03 09:18:46 UTC (rev 263889)
@@ -1,3 +1,14 @@
+2020-07-03  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Add exception checks in JSStringBuilder and Array#join
+        https://bugs.webkit.org/show_bug.cgi?id=213915
+        <rdar://problem/64878225>
+
+        Reviewed by Saam Barati and Mark Lam.
+
+        * stress/out-of-memory-handle-in-join.js: Added.
+        (shouldThrow):
+
 2020-07-02  Yusuke Suzuki  <[email protected]>
 
         Unreviewed, mark JSTests/test262/test/intl402/NumberFormat/prototype/format/numbering-systems.js fail since it requires ICU 66

Added: trunk/JSTests/stress/out-of-memory-handle-in-join.js (0 => 263889)


--- trunk/JSTests/stress/out-of-memory-handle-in-join.js	                        (rev 0)
+++ trunk/JSTests/stress/out-of-memory-handle-in-join.js	2020-07-03 09:18:46 UTC (rev 263889)
@@ -0,0 +1,21 @@
+//@ skip if $memoryLimited
+
+function shouldThrow(func, errorMessage) {
+    var errorThrown = false;
+    var error = null;
+    try {
+        func();
+    } catch (e) {
+        errorThrown = true;
+        error = e;
+    }
+    if (!errorThrown)
+        throw new Error('not thrown');
+    if (String(error) !== errorMessage)
+        throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldThrow(() => {
+    let x = { toString: () => ''.padEnd(2 ** 31 - 1, 10..toLocaleString()) };
+    [x].join();
+}, `RangeError: Out of memory`);

Modified: trunk/Source/_javascript_Core/ChangeLog (263888 => 263889)


--- trunk/Source/_javascript_Core/ChangeLog	2020-07-03 09:06:00 UTC (rev 263888)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-07-03 09:18:46 UTC (rev 263889)
@@ -1,3 +1,18 @@
+2020-07-03  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Add exception checks in JSStringBuilder and Array#join
+        https://bugs.webkit.org/show_bug.cgi?id=213915
+        <rdar://problem/64878225>
+
+        Reviewed by Saam Barati and Mark Lam.
+
+        This patch adds missing exception checks into Array#join's certain place and JSStringBuilder.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncToString):
+        * runtime/JSStringJoiner.h:
+        (JSC::JSStringJoiner::append):
+
 2020-07-03  Fujii Hironori  <[email protected]>
 
         Builtin internal wrapper implementation files wrap static global initialization code with incorrect guards

Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (263888 => 263889)


--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2020-07-03 09:06:00 UTC (rev 263888)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2020-07-03 09:18:46 UTC (rev 263889)
@@ -652,6 +652,7 @@
 
         bool sawHoles = false;
         JSValue result = fastJoin(globalObject, thisArray, { &comma, 1 }, length, &sawHoles);
+        RETURN_IF_EXCEPTION(scope, { });
 
         if (!sawHoles && result && isJSString(result) && isCoW) {
             ASSERT(JSImmutableButterfly::fromButterfly(thisArray->butterfly()) == immutableButterfly);

Modified: trunk/Source/_javascript_Core/runtime/JSStringJoiner.h (263888 => 263889)


--- trunk/Source/_javascript_Core/runtime/JSStringJoiner.h	2020-07-03 09:06:00 UTC (rev 263888)
+++ trunk/Source/_javascript_Core/runtime/JSStringJoiner.h	2020-07-03 09:18:46 UTC (rev 263889)
@@ -156,9 +156,15 @@
 
 ALWAYS_INLINE void JSStringJoiner::append(JSGlobalObject* globalObject, JSValue value)
 {
-    if (!appendWithoutSideEffects(globalObject, value)) {
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    bool success = appendWithoutSideEffects(globalObject, value);
+    RETURN_IF_EXCEPTION(scope, void());
+    if (!success) {
         JSString* jsString = value.toString(globalObject);
-        append(jsString->viewWithUnderlyingString(globalObject));
+        RETURN_IF_EXCEPTION(scope, void());
+        RELEASE_AND_RETURN(scope, append(jsString->viewWithUnderlyingString(globalObject)));
     }
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes