Modified: trunk/JSTests/ChangeLog (274180 => 274181)
--- trunk/JSTests/ChangeLog 2021-03-09 23:22:49 UTC (rev 274180)
+++ trunk/JSTests/ChangeLog 2021-03-09 23:30:31 UTC (rev 274181)
@@ -1,3 +1,12 @@
+2021-03-09 Keith Miller <[email protected]>
+
+ JSC Crash in makeString() while creating Error object.
+ https://bugs.webkit.org/show_bug.cgi?id=222452
+
+ Reviewed by Mark Lam.
+
+ * stress/large-string-should-not-crash-error-creation.js: Added.
+
2021-03-09 Mark Lam <[email protected]>
Use --verifyGC=true on some JSC stress test configurations.
Added: trunk/JSTests/stress/large-string-should-not-crash-error-creation.js (0 => 274181)
--- trunk/JSTests/stress/large-string-should-not-crash-error-creation.js (rev 0)
+++ trunk/JSTests/stress/large-string-should-not-crash-error-creation.js 2021-03-09 23:30:31 UTC (rev 274181)
@@ -0,0 +1,9 @@
+//@ skip if $memoryLimited
+
+try {
+ bar_693 = '2.3023e-320';
+ foo_508 = bar_693.padEnd(2147483620, 1);
+ var newInstance = new foo_508(1, 2);
+} catch {
+ // Allocating this error shouldn't crash us.
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (274180 => 274181)
--- trunk/Source/_javascript_Core/ChangeLog 2021-03-09 23:22:49 UTC (rev 274180)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-03-09 23:30:31 UTC (rev 274181)
@@ -1,3 +1,21 @@
+2021-03-09 Keith Miller <[email protected]>
+
+ JSC Crash in makeString() while creating Error object.
+ https://bugs.webkit.org/show_bug.cgi?id=222452
+
+ Reviewed by Mark Lam.
+
+ This patch clamps the user provided part of error messages to
+ 2-KB of characters. Technically, it could actually be 4-KB of
+ data for 16-bit strings. This is a somewhat randomly picked length
+ but seems like it should be sufficient for any normal use case I
+ can think of.
+
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::clampErrorMessage):
+ (JSC::defaultApproximateSourceError):
+ (JSC::defaultSourceAppender):
+
2021-03-08 Saam Barati <[email protected]>
Using an undeclared private field inside eval shouldn't crash
Modified: trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp (274180 => 274181)
--- trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2021-03-09 23:22:49 UTC (rev 274180)
+++ trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2021-03-09 23:30:31 UTC (rev 274181)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -98,9 +98,16 @@
return v.toString(globalObject)->value(globalObject);
}
+static StringView clampErrorMessage(const String& originalMessage)
+{
+ // Hopefully this is sufficiently long. Note, this is the length of the string not the number of bytes used.
+ constexpr unsigned maxLength = 2 * KB;
+ return StringView(originalMessage).substring(0, maxLength);
+}
+
static String defaultApproximateSourceError(const String& originalMessage, const String& sourceText)
{
- return makeString(originalMessage, " (near '...", sourceText, "...')");
+ return makeString(clampErrorMessage(originalMessage), " (near '...", sourceText, "...')");
}
String defaultSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
@@ -109,7 +116,7 @@
return defaultApproximateSourceError(originalMessage, sourceText);
ASSERT(occurrence == ErrorInstance::FoundExactSource);
- return makeString(originalMessage, " (evaluating '", sourceText, "')");
+ return makeString(clampErrorMessage(originalMessage), " (evaluating '", sourceText, "')");
}
static String functionCallBase(const String& sourceText)
