Title: [290932] branches/safari-613-branch
- Revision
- 290932
- Author
- [email protected]
- Date
- 2022-03-07 14:09:56 -0800 (Mon, 07 Mar 2022)
Log Message
Cherry-pick r290265. rdar://problem/88258776
[JSC] Add explicit exception check after appendWithoutSideEffects
https://bugs.webkit.org/show_bug.cgi?id=236986
rdar://88258776
Reviewed by Saam Barati.
JSTests:
* stress/array-to-string-oom.js: Added.
Source/_javascript_Core:
Add exception check after JSStringJoiner::appendWithoutSideEffects call since JSString::value can throw OOM error.
* runtime/ArrayPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSStringJoiner.h:
(JSC::JSStringJoiner::append):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-613-branch/JSTests/ChangeLog (290931 => 290932)
--- branches/safari-613-branch/JSTests/ChangeLog 2022-03-07 22:09:52 UTC (rev 290931)
+++ branches/safari-613-branch/JSTests/ChangeLog 2022-03-07 22:09:56 UTC (rev 290932)
@@ -1,3 +1,38 @@
+2022-03-07 Russell Epstein <[email protected]>
+
+ Cherry-pick r290265. rdar://problem/88258776
+
+ [JSC] Add explicit exception check after appendWithoutSideEffects
+ https://bugs.webkit.org/show_bug.cgi?id=236986
+ rdar://88258776
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/array-to-string-oom.js: Added.
+
+ Source/_javascript_Core:
+
+ Add exception check after JSStringJoiner::appendWithoutSideEffects call since JSString::value can throw OOM error.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+ * runtime/JSStringJoiner.h:
+ (JSC::JSStringJoiner::append):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-21 Yusuke Suzuki <[email protected]>
+
+ [JSC] Add explicit exception check after appendWithoutSideEffects
+ https://bugs.webkit.org/show_bug.cgi?id=236986
+ rdar://88258776
+
+ Reviewed by Saam Barati.
+
+ * stress/array-to-string-oom.js: Added.
+
2022-02-09 Alan Coon <[email protected]>
Cherry-pick r289450. rdar://problem/88483574
Added: branches/safari-613-branch/JSTests/stress/array-to-string-oom.js (0 => 290932)
--- branches/safari-613-branch/JSTests/stress/array-to-string-oom.js (rev 0)
+++ branches/safari-613-branch/JSTests/stress/array-to-string-oom.js 2022-03-07 22:09:56 UTC (rev 290932)
@@ -0,0 +1,6 @@
+try {
+ $vm.haveABadTime();
+ const ten = 10;
+ const s = ten.toLocaleString().repeat(2 ** 30 - 1);
+ [s].toString();
+} catch { }
Modified: branches/safari-613-branch/Source/_javascript_Core/ChangeLog (290931 => 290932)
--- branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-03-07 22:09:52 UTC (rev 290931)
+++ branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-03-07 22:09:56 UTC (rev 290932)
@@ -1,5 +1,45 @@
2022-03-07 Russell Epstein <[email protected]>
+ Cherry-pick r290265. rdar://problem/88258776
+
+ [JSC] Add explicit exception check after appendWithoutSideEffects
+ https://bugs.webkit.org/show_bug.cgi?id=236986
+ rdar://88258776
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/array-to-string-oom.js: Added.
+
+ Source/_javascript_Core:
+
+ Add exception check after JSStringJoiner::appendWithoutSideEffects call since JSString::value can throw OOM error.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+ * runtime/JSStringJoiner.h:
+ (JSC::JSStringJoiner::append):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-21 Yusuke Suzuki <[email protected]>
+
+ [JSC] Add explicit exception check after appendWithoutSideEffects
+ https://bugs.webkit.org/show_bug.cgi?id=236986
+ rdar://88258776
+
+ Reviewed by Saam Barati.
+
+ Add exception check after JSStringJoiner::appendWithoutSideEffects call since JSString::value can throw OOM error.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+ * runtime/JSStringJoiner.h:
+ (JSC::JSStringJoiner::append):
+
+2022-03-07 Russell Epstein <[email protected]>
+
Cherry-pick r289001. rdar://problem/88404556
[JSC] Crash on several pages after r287986
Modified: branches/safari-613-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (290931 => 290932)
--- branches/safari-613-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2022-03-07 22:09:52 UTC (rev 290931)
+++ branches/safari-613-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2022-03-07 22:09:56 UTC (rev 290932)
@@ -636,7 +636,6 @@
if (LIKELY(canUseFastJoin(thisArray))) {
const LChar comma = ',';
- scope.release();
bool isCoW = isCopyOnWrite(thisArray->indexingMode());
JSImmutableButterfly* immutableButterfly = nullptr;
Modified: branches/safari-613-branch/Source/_javascript_Core/runtime/JSStringJoiner.h (290931 => 290932)
--- branches/safari-613-branch/Source/_javascript_Core/runtime/JSStringJoiner.h 2022-03-07 22:09:52 UTC (rev 290931)
+++ branches/safari-613-branch/Source/_javascript_Core/runtime/JSStringJoiner.h 2022-03-07 22:09:56 UTC (rev 290932)
@@ -152,6 +152,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
bool success = appendWithoutSideEffects(globalObject, value);
+ RETURN_IF_EXCEPTION(scope, void());
if (!success) {
JSString* jsString = value.toString(globalObject);
RETURN_IF_EXCEPTION(scope, void());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
