Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 32b9728139794e15d690f5a3b43dbd9f8162e6ee
https://github.com/WebKit/WebKit/commit/32b9728139794e15d690f5a3b43dbd9f8162e6ee
Author: David Degazio <[email protected]>
Date: 2022-11-09 (Wed, 09 Nov 2022)
Changed paths:
A JSTests/stress/bigdecimal-identifiers-fail-on-oom.js
M Source/JavaScriptCore/parser/Parser.cpp
M Source/JavaScriptCore/parser/ParserArena.cpp
M Source/JavaScriptCore/parser/ParserArena.h
Log Message:
-----------
Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier
https://bugs.webkit.org/show_bug.cgi?id=247644
rdar://98566429
Reviewed by Mark Lam and Yusuke Suzuki.
We currently get a segfault because the parser for bigdecimal identifiers
allocates a JSBigInt, which
might cause us to run out of memory. The parser doesn't throw arbitrary
exceptions elsewhere, so instead
of throwing out-of-memory as an exception, it just produces an empty JSBigInt
and crashes when using it.
This patch addresses the issue by making the result of
makeBigIntDecimalIdentifier nullable, checking for
it in the parser, and failing with a SyntaxError if the identifier could not be
created.
* JSTests/stress/bigdecimal-identifiers-fail-on-oom.js: Added.
(foo):
* Source/JavaScriptCore/parser/Lexer.cpp:
* Source/JavaScriptCore/parser/Parser.cpp:
(JSC::Parser<LexerType>::parseDestructuringPattern):
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseClassFieldInitializerSourceElements):
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::parseGetterSetter):
* Source/JavaScriptCore/parser/ParserArena.cpp:
(JSC::IdentifierArena::makeBigIntDecimalIdentifier):
* Source/JavaScriptCore/parser/ParserArena.h:
Canonical link: https://commits.webkit.org/256501@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
