Changeset 263405 in webkit

Timestamp:

Jun 23, 2020 11:15:49 AM (4 years ago)

Author:

mark.lam@apple.com

Message:

Handle string overflow in DFG graph dump while validating AI.
​https://bugs.webkit.org/show_bug.cgi?id=213524
<rdar://problem/64635620>

Reviewed by Saam Barati.

JSTests:

• stress/string-overflow-in-dfg-graph-dump.js: Added.

Source/JavaScriptCore:

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::validateAIState):

Source/WTF:

• wtf/StringPrintStream.cpp:

(WTF::StringPrintStream::tryToString):

• wtf/StringPrintStream.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/string-overflow-in-dfg-graph-dump.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/StringPrintStream.cpp (modified) (1 diff)
• Source/WTF/wtf/StringPrintStream.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-06-23  Mark Lam  <mark.lam@apple.com>
+
+        Handle string overflow in DFG graph dump while validating AI.
+        https://bugs.webkit.org/show_bug.cgi?id=213524
+        <rdar://problem/64635620>
+
+        Reviewed by Saam Barati.
+
+        * stress/string-overflow-in-dfg-graph-dump.js: Added.
+
 2020-06-21  Michael Catanzaro  <mcatanzaro@gnome.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-06-23  Mark Lam  <mark.lam@apple.com>
+
+        Handle string overflow in DFG graph dump while validating AI.
+        https://bugs.webkit.org/show_bug.cgi?id=213524
+        <rdar://problem/64635620>
+
+        Reviewed by Saam Barati.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
+
 2020-06-23  Devin Rousso  <drousso@apple.com>
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -560 +560 @@
             StringPrintStream out;
             m_graph.dump(out);
-            m_graphDump = out.toString();
+            auto expectedString = out.tryToString();
+            m_graphDump = expectedString ? expectedString.value() : String("<out of memory while dumping graph>"_s);
         }
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-06-23  Mark Lam  <mark.lam@apple.com>
+
+        Handle string overflow in DFG graph dump while validating AI.
+        https://bugs.webkit.org/show_bug.cgi?id=213524
+        <rdar://problem/64635620>
+
+        Reviewed by Saam Barati.
+
+        * wtf/StringPrintStream.cpp:
+        (WTF::StringPrintStream::tryToString):
+        * wtf/StringPrintStream.h:
+
 2020-06-22  Saam Barati  <sbarati@apple.com>
 

trunk/Source/WTF/wtf/StringPrintStream.cpp

@@ -96 +96 @@
 }
 
+Expected<String, UTF8ConversionError> StringPrintStream::tryToString()
+{
+    ASSERT(m_next == strlen(m_buffer));
+    if (m_next > String::MaxLength)
+        return makeUnexpected(UTF8ConversionError::OutOfMemory);
+    return String::fromUTF8(m_buffer, m_next);
+}
+
 String StringPrintStream::toString()
 {

trunk/Source/WTF/wtf/StringPrintStream.h

@@ -42 +42 @@
     
     WTF_EXPORT_PRIVATE CString toCString();
+    WTF_EXPORT_PRIVATE Expected<String, UTF8ConversionError> tryToString();
     WTF_EXPORT_PRIVATE String toString();
     WTF_EXPORT_PRIVATE String toStringWithLatin1Fallback();