Title: [129077] trunk/Source/WebCore
- Revision
- 129077
- Author
- [email protected]
- Date
- 2012-09-19 17:41:26 -0700 (Wed, 19 Sep 2012)
Log Message
[V8] ScriptController::compileAndRunScript() can crash
https://bugs.webkit.org/show_bug.cgi?id=96567
Reviewed by Adam Barth.
See chromium bug: http://code.google.com/p/chromium/issues/detail?id=146776
The root cause is that v8::PreCompile() can return 0 when the stack of
V8's parser overflows (c.f. http://code.google.com/codesearch#OAMlx_jo-ck/src/v8/src/parser.cc&exact_package=chromium&q=kPreParseStackOverflow&type=cs&l=6021).
This patch adds the 0 check to the caller side. Given that precompileScript()
is just trying to speculatively precompile a script, it's OK to give up
precompiling for such edge cases.
Manually tested with the html generated by the following shell script:
echo '<script language="_javascript_" type="text/_javascript_" src="" > asan-crash.html
echo 'if(wURLF.search("")>=0) {}' > asan-crash.js
for i in `seq 14830`
do
echo 'else if(wURLF.search("")>=0) {}' >> asan-crash.js
done
I didn't add the test because '14380' depends on an environment
and because we don't want to add a huge html test.
* bindings/v8/ScriptSourceCode.cpp:
(WebCore::ScriptSourceCode::precompileScript):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (129076 => 129077)
--- trunk/Source/WebCore/ChangeLog 2012-09-20 00:12:51 UTC (rev 129076)
+++ trunk/Source/WebCore/ChangeLog 2012-09-20 00:41:26 UTC (rev 129077)
@@ -1,3 +1,34 @@
+2012-09-19 Kentaro Hara <[email protected]>
+
+ [V8] ScriptController::compileAndRunScript() can crash
+ https://bugs.webkit.org/show_bug.cgi?id=96567
+
+ Reviewed by Adam Barth.
+
+ See chromium bug: http://code.google.com/p/chromium/issues/detail?id=146776
+
+ The root cause is that v8::PreCompile() can return 0 when the stack of
+ V8's parser overflows (c.f. http://code.google.com/codesearch#OAMlx_jo-ck/src/v8/src/parser.cc&exact_package=chromium&q=kPreParseStackOverflow&type=cs&l=6021).
+
+ This patch adds the 0 check to the caller side. Given that precompileScript()
+ is just trying to speculatively precompile a script, it's OK to give up
+ precompiling for such edge cases.
+
+ Manually tested with the html generated by the following shell script:
+
+ echo '<script language="_javascript_" type="text/_javascript_" src="" > asan-crash.html
+ echo 'if(wURLF.search("")>=0) {}' > asan-crash.js
+ for i in `seq 14830`
+ do
+ echo 'else if(wURLF.search("")>=0) {}' >> asan-crash.js
+ done
+
+ I didn't add the test because '14380' depends on an environment
+ and because we don't want to add a huge html test.
+
+ * bindings/v8/ScriptSourceCode.cpp:
+ (WebCore::ScriptSourceCode::precompileScript):
+
2012-09-19 Joshua Bell <[email protected]>
IndexedDB: Pending call cleanup
Modified: trunk/Source/WebCore/bindings/v8/ScriptSourceCode.cpp (129076 => 129077)
--- trunk/Source/WebCore/bindings/v8/ScriptSourceCode.cpp 2012-09-20 00:12:51 UTC (rev 129076)
+++ trunk/Source/WebCore/bindings/v8/ScriptSourceCode.cpp 2012-09-20 00:41:26 UTC (rev 129077)
@@ -49,6 +49,9 @@
return adoptPtr(v8::ScriptData::New(cachedMetadata->data(), cachedMetadata->size()));
OwnPtr<v8::ScriptData> scriptData = adoptPtr(v8::ScriptData::PreCompile(code));
+ if (!scriptData)
+ return nullptr;
+
cachedScript->setCachedMetadata(dataTypeID, scriptData->Data(), scriptData->Length());
return scriptData.release();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
