Title: [135454] trunk
- Revision
- 135454
- Author
- dba...@webkit.org
- Date
- 2012-11-21 16:25:51 -0800 (Wed, 21 Nov 2012)
Log Message
_javascript_ fails to concatenate large strings
<https://bugs.webkit.org/show_bug.cgi?id=102963>
Reviewed by Michael Saboff.
Source/_javascript_Core:
Fixes an issue where we inadvertently didn't check the length of
a _javascript_ string for overflow.
* runtime/Operations.h:
(JSC::jsString):
(JSC::jsStringFromArguments):
LayoutTests:
Add tests to ensure that we handle concatenating large strings.
* fast/js/concat-large-strings-crash-expected.txt: Added.
* fast/js/concat-large-strings-crash.html: Added.
* fast/js/concat-large-strings-crash2-expected.txt: Added.
* fast/js/concat-large-strings-crash2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (135453 => 135454)
--- trunk/LayoutTests/ChangeLog 2012-11-22 00:20:42 UTC (rev 135453)
+++ trunk/LayoutTests/ChangeLog 2012-11-22 00:25:51 UTC (rev 135454)
@@ -1,3 +1,17 @@
+2012-11-21 Daniel Bates <dba...@webkit.org>
+
+ _javascript_ fails to concatenate large strings
+ <https://bugs.webkit.org/show_bug.cgi?id=102963>
+
+ Reviewed by Michael Saboff.
+
+ Add tests to ensure that we handle concatenating large strings.
+
+ * fast/js/concat-large-strings-crash-expected.txt: Added.
+ * fast/js/concat-large-strings-crash.html: Added.
+ * fast/js/concat-large-strings-crash2-expected.txt: Added.
+ * fast/js/concat-large-strings-crash2.html: Added.
+
2012-11-21 Fady Samuel <fsam...@chromium.org>
Add fast/events/context-nodrag.html to Chromium Mac TestExpectations
Added: trunk/LayoutTests/fast/js/concat-large-strings-crash-expected.txt (0 => 135454)
--- trunk/LayoutTests/fast/js/concat-large-strings-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/concat-large-strings-crash-expected.txt 2012-11-22 00:25:51 UTC (rev 135454)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 16: Error: Out of memory
+Test for bug 102963. This test passed if you see the word PASS below.
+
+PASS: Didn't crash.
Added: trunk/LayoutTests/fast/js/concat-large-strings-crash.html (0 => 135454)
--- trunk/LayoutTests/fast/js/concat-large-strings-crash.html (rev 0)
+++ trunk/LayoutTests/fast/js/concat-large-strings-crash.html 2012-11-22 00:25:51 UTC (rev 135454)
@@ -0,0 +1,21 @@
+<html>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ <p>Test for <a href="" 102963</a>. This test passed if you see the word PASS below.</p>
+ <script>
+ function createStringWithRepeatedChar(c, multiplicity){
+ while (c.length < multiplicity)
+ c += c;
+ return c;
+ }
+ var x = "1";
+ var y = "2";
+ x = createStringWithRepeatedChar(x, 1 << 30);
+ y = createStringWithRepeatedChar(y, 1 << 16);
+ x = x.concat(x, x, x, y);
+ x = x.blink(); // Flatten string
+ </script>
+ <p>PASS: Didn't crash.</p>
+</html>
Added: trunk/LayoutTests/fast/js/concat-large-strings-crash2-expected.txt (0 => 135454)
--- trunk/LayoutTests/fast/js/concat-large-strings-crash2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/concat-large-strings-crash2-expected.txt 2012-11-22 00:25:51 UTC (rev 135454)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 14: Error: Out of memory
+Test for bug 102963. This test passed if you see the word PASS below.
+
+PASS: Didn't crash.
Added: trunk/LayoutTests/fast/js/concat-large-strings-crash2.html (0 => 135454)
--- trunk/LayoutTests/fast/js/concat-large-strings-crash2.html (rev 0)
+++ trunk/LayoutTests/fast/js/concat-large-strings-crash2.html 2012-11-22 00:25:51 UTC (rev 135454)
@@ -0,0 +1,18 @@
+<html>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ <p>Test for <a href="" 102963</a>. This test passed if you see the word PASS below.</p>
+ <script>
+ function createStringWithRepeatedChar(c, multiplicity){
+ while (c.length < multiplicity)
+ c += c;
+ return c;
+ }
+ var string = createStringWithRepeatedChar("1", 1 << 30);
+ var largeString = string + " AND " + string + " AND " + string + " AND " + string;
+ largeString.blink(); // Flatten string
+ </script>
+ <p>PASS: Didn't crash.</p>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (135453 => 135454)
--- trunk/Source/_javascript_Core/ChangeLog 2012-11-22 00:20:42 UTC (rev 135453)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-11-22 00:25:51 UTC (rev 135454)
@@ -1,3 +1,17 @@
+2012-11-21 Daniel Bates <dba...@webkit.org>
+
+ _javascript_ fails to concatenate large strings
+ <https://bugs.webkit.org/show_bug.cgi?id=102963>
+
+ Reviewed by Michael Saboff.
+
+ Fixes an issue where we inadvertently didn't check the length of
+ a _javascript_ string for overflow.
+
+ * runtime/Operations.h:
+ (JSC::jsString):
+ (JSC::jsStringFromArguments):
+
2012-11-20 Filip Pizlo <fpi...@apple.com>
DFG should be able to cache closure calls (part 2/2)
Modified: trunk/Source/_javascript_Core/runtime/Operations.h (135453 => 135454)
--- trunk/Source/_javascript_Core/runtime/Operations.h 2012-11-22 00:20:42 UTC (rev 135453)
+++ trunk/Source/_javascript_Core/runtime/Operations.h 2012-11-22 00:25:51 UTC (rev 135454)
@@ -86,6 +86,7 @@
if (ropeBuilder.length() < oldLength) // True for overflow
return throwOutOfMemoryError(exec);
+ oldLength = ropeBuilder.length();
}
return ropeBuilder.release();
@@ -105,6 +106,7 @@
if (ropeBuilder.length() < oldLength) // True for overflow
return throwOutOfMemoryError(exec);
+ oldLength = ropeBuilder.length();
}
return ropeBuilder.release();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
