Changeset 129077 in webkit


Ignore:
Timestamp:
Sep 19, 2012 5:41:26 PM (12 years ago)
Author:
haraken@chromium.org
Message:

[V8] ScriptController::compileAndRunScript() can crash
https://bugs.webkit.org/show_bug.cgi?id=96567

Reviewed by Adam Barth.

See chromium bug: http://code.google.com/p/chromium/issues/detail?id=146776

The root cause is that v8::PreCompile() can return 0 when the stack of
V8's parser overflows (c.f. http://code.google.com/codesearch#OAMlx_jo-ck/src/v8/src/parser.cc&exact_package=chromium&q=kPreParseStackOverflow&type=cs&l=6021).

This patch adds the 0 check to the caller side. Given that precompileScript()
is just trying to speculatively precompile a script, it's OK to give up
precompiling for such edge cases.

Manually tested with the html generated by the following shell script:

echo '<script language="JavaScript" type="text/javascript" src="asan-crash.js"></script>' > asan-crash.html
echo 'if(wURLF.search("")>=0) {}' > asan-crash.js
for i in seq 14830
do

echo 'else if(wURLF.search("")>=0) {}' >> asan-crash.js

done

I didn't add the test because '14380' depends on an environment
and because we don't want to add a huge html test.

  • bindings/v8/ScriptSourceCode.cpp:

(WebCore::ScriptSourceCode::precompileScript):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r129076 r129077  
     12012-09-19  Kentaro Hara  <haraken@chromium.org>
     2
     3        [V8] ScriptController::compileAndRunScript() can crash
     4        https://bugs.webkit.org/show_bug.cgi?id=96567
     5
     6        Reviewed by Adam Barth.
     7
     8        See chromium bug: http://code.google.com/p/chromium/issues/detail?id=146776
     9
     10        The root cause is that v8::PreCompile() can return 0 when the stack of
     11        V8's parser overflows (c.f. http://code.google.com/codesearch#OAMlx_jo-ck/src/v8/src/parser.cc&exact_package=chromium&q=kPreParseStackOverflow&type=cs&l=6021).
     12
     13        This patch adds the 0 check to the caller side. Given that precompileScript()
     14        is just trying to speculatively precompile a script, it's OK to give up
     15        precompiling for such edge cases.
     16
     17        Manually tested with the html generated by the following shell script:
     18
     19          echo '<script language="JavaScript" type="text/javascript" src="asan-crash.js"></script>' > asan-crash.html
     20          echo 'if(wURLF.search("")>=0) {}' > asan-crash.js
     21          for i in `seq 14830`
     22          do
     23            echo 'else if(wURLF.search("")>=0) {}' >> asan-crash.js
     24          done
     25
     26        I didn't add the test because '14380' depends on an environment
     27        and because we don't want to add a huge html test.
     28
     29        * bindings/v8/ScriptSourceCode.cpp:
     30        (WebCore::ScriptSourceCode::precompileScript):
     31
    1322012-09-19  Joshua Bell  <jsbell@chromium.org>
    233

  • trunk/Source/WebCore/bindings/v8/ScriptSourceCode.cpp

    r126360 r129077  
    5050
    5151    OwnPtr<v8::ScriptData> scriptData = adoptPtr(v8::ScriptData::PreCompile(code));
     52    if (!scriptData)
     53        return nullptr;
     54
    5255    cachedScript->setCachedMetadata(dataTypeID, scriptData->Data(), scriptData->Length());
    5356
Note: See TracChangeset for help on using the changeset viewer.