[webkit-changes] [WebKit/WebKit] 11dd0c: [JSC] describe function attempts to create a WTF::...

Mon, 10 Nov 2025 09:06:57 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 11dd0ceefa42351e7a07195edb52563364db8dac
      
https://github.com/WebKit/WebKit/commit/11dd0ceefa42351e7a07195edb52563364db8dac
  Author: Anthony Tarbinian <[email protected]>
  Date:   2025-11-10 (Mon, 10 Nov 2025)

  Changed paths:
    A JSTests/stress/describe-huge-strings.js
    M Source/JavaScriptCore/jsc.cpp
    M Source/WTF/wtf/StringPrintStream.h

  Log Message:
  -----------
  [JSC] describe function attempts to create a WTF::String larger than 
WTF::String::MaxLength
https://bugs.webkit.org/show_bug.cgi?id=302183
rdar://160097620

Reviewed by Keith Miller.

The `describe` JS function returns a String that contains additional
metadata to "describe" the original entity passed in. For example,
`describe(“hello”)` results in a string that looks like
`String (atomic),8Bit:(1),length:(5): hello, StructureID: 16777808`.
Under the hood, `describe` constructs a new string with additional
metadata and converts it to a `WTF::String`.

The problem is that while the original string passed into `describe`
is under the `WTF::String` limit (`WTF::String::MaxLength`), it's
possible for the extra metadata to push the length of the resulting
string over the limit. Then, when `describe` goes to convert the
result into a `WTF::String` JSC can crash from a `RELEASE_ASSERT`
enforcing the size of the resulting string.

This patch adds a bounds check before a `StringPrintStream` that's
too large attempts to be converted to a `WTF::String`. Importantly,
this bounds check happens after the additional metadata information
is added to the resulting `StringPrintStream` (see `JSCJSValue.cpp`
`JSValue::dumpInContextAssumingStructure`). If the resulting
`StringPrintStream` would have been too much for a `WTF::String`,
then we gracefully throw a RangeError Exception as opposed to
hitting a `RELEASE_ASSERT` during the `WTF::String` creation.

Test: JSTests/stress/describe-huge-strings.js

* JSTests/stress/describe-huge-strings.js: Added.
(const.tc.of.testCases.catch):
* Source/JavaScriptCore/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* Source/WTF/wtf/StringPrintStream.h:
(WTF::toStringWithBoundsCheck):

Canonical link: https://commits.webkit.org/302798@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to