Title: [290265] trunk
- Revision
- 290265
- Author
- [email protected]
- Date
- 2022-02-21 13:29:03 -0800 (Mon, 21 Feb 2022)
Log Message
[JSC] Add explicit exception check after appendWithoutSideEffects
https://bugs.webkit.org/show_bug.cgi?id=236986
rdar://88258776
Reviewed by Saam Barati.
JSTests:
* stress/array-to-string-oom.js: Added.
Source/_javascript_Core:
Add exception check after JSStringJoiner::appendWithoutSideEffects call since JSString::value can throw OOM error.
* runtime/ArrayPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSStringJoiner.h:
(JSC::JSStringJoiner::append):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (290264 => 290265)
--- trunk/JSTests/ChangeLog 2022-02-21 21:27:46 UTC (rev 290264)
+++ trunk/JSTests/ChangeLog 2022-02-21 21:29:03 UTC (rev 290265)
@@ -1,5 +1,15 @@
2022-02-21 Yusuke Suzuki <[email protected]>
+ [JSC] Add explicit exception check after appendWithoutSideEffects
+ https://bugs.webkit.org/show_bug.cgi?id=236986
+ rdar://88258776
+
+ Reviewed by Saam Barati.
+
+ * stress/array-to-string-oom.js: Added.
+
+2022-02-21 Yusuke Suzuki <[email protected]>
+
[JSC] Add CalendarDateTime parsing
https://bugs.webkit.org/show_bug.cgi?id=236886
Added: trunk/JSTests/stress/array-to-string-oom.js (0 => 290265)
--- trunk/JSTests/stress/array-to-string-oom.js (rev 0)
+++ trunk/JSTests/stress/array-to-string-oom.js 2022-02-21 21:29:03 UTC (rev 290265)
@@ -0,0 +1,6 @@
+try {
+ $vm.haveABadTime();
+ const ten = 10;
+ const s = ten.toLocaleString().repeat(2 ** 30 - 1);
+ [s].toString();
+} catch { }
Modified: trunk/Source/_javascript_Core/ChangeLog (290264 => 290265)
--- trunk/Source/_javascript_Core/ChangeLog 2022-02-21 21:27:46 UTC (rev 290264)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-02-21 21:29:03 UTC (rev 290265)
@@ -1,5 +1,20 @@
2022-02-21 Yusuke Suzuki <[email protected]>
+ [JSC] Add explicit exception check after appendWithoutSideEffects
+ https://bugs.webkit.org/show_bug.cgi?id=236986
+ rdar://88258776
+
+ Reviewed by Saam Barati.
+
+ Add exception check after JSStringJoiner::appendWithoutSideEffects call since JSString::value can throw OOM error.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+ * runtime/JSStringJoiner.h:
+ (JSC::JSStringJoiner::append):
+
+2022-02-21 Yusuke Suzuki <[email protected]>
+
[JSC] Add CalendarDateTime parsing
https://bugs.webkit.org/show_bug.cgi?id=236886
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (290264 => 290265)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2022-02-21 21:27:46 UTC (rev 290264)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2022-02-21 21:29:03 UTC (rev 290265)
@@ -636,7 +636,6 @@
if (LIKELY(canUseFastJoin(thisArray))) {
const LChar comma = ',';
- scope.release();
bool isCoW = isCopyOnWrite(thisArray->indexingMode());
JSImmutableButterfly* immutableButterfly = nullptr;
Modified: trunk/Source/_javascript_Core/runtime/JSStringJoiner.h (290264 => 290265)
--- trunk/Source/_javascript_Core/runtime/JSStringJoiner.h 2022-02-21 21:27:46 UTC (rev 290264)
+++ trunk/Source/_javascript_Core/runtime/JSStringJoiner.h 2022-02-21 21:29:03 UTC (rev 290265)
@@ -152,6 +152,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
bool success = appendWithoutSideEffects(globalObject, value);
+ RETURN_IF_EXCEPTION(scope, void());
if (!success) {
JSString* jsString = value.toString(globalObject);
RETURN_IF_EXCEPTION(scope, void());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
