Changeset 19178 in webkit


Ignore:
Timestamp:
Jan 26, 2007 6:31:28 PM (17 years ago)
Author:
aliceli1
Message:

JavaScriptCore:

Reviewed by Maciej.


Fix for Repeated string concatenation results in OOM crash
http://bugs.webkit.org/show_bug.cgi?id=11131

  • kjs/operations.cpp: (KJS::add): Throw exception if string addition result is null
  • kjs/ustring.cpp: (KJS::UString::UString): Don't call memcpy when malloc failed

LayoutTests:

Reviewed by Maciej.


Test for "Repeated string concatenation results in OOM crash"
http://bugs.webkit.org/show_bug.cgi?id=11131

  • fast/js/resources/string-concatenate-outofmemory.js: Added.
  • fast/js/string-concatenate-outofmemory-expected.txt: Added.
  • fast/js/string-concatenate-outofmemory.html: Added.
Location:
trunk
Files:
3 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/JavaScriptCore/ChangeLog

    r19136 r19178  
     12007-01-27  Andrew Wellington  <proton@wiretapped.net>
     2
     3        Reviewed by Maciej.
     4       
     5        Fix for Repeated string concatenation results in OOM crash
     6        http://bugs.webkit.org/show_bug.cgi?id=11131
     7
     8        * kjs/operations.cpp:
     9        (KJS::add): Throw exception if string addition result is null
     10        * kjs/ustring.cpp:
     11        (KJS::UString::UString): Don't call memcpy when malloc failed
     12
    1132007-01-25  Jan Kraemer  <camel@gmx.de>
    214
  • trunk/JavaScriptCore/kjs/operations.cpp

    r15155 r19178  
    225225    JSValue *p2 = v2->toPrimitive(exec, preferred);
    226226   
    227     if ((p1->isString() || p2->isString()) && oper == '+')
    228         return jsString(p1->toString(exec) + p2->toString(exec));
     227    if ((p1->isString() || p2->isString()) && oper == '+') {
     228        UString value = p1->toString(exec) + p2->toString(exec);
     229        if (value.isNull()) {
     230            JSObject *error = Error::create(exec, GeneralError, "Out of memory");
     231            exec->setException(error);
     232            return error;
     233        } else
     234            return jsString(value);
     235    }
    229236   
    230237    if (oper == '+')
  • trunk/JavaScriptCore/kjs/ustring.cpp

    r17862 r19178  
    434434    UString x(a);
    435435    x.expandCapacity(aOffset + length);
    436     memcpy(const_cast<UChar *>(a.data() + aSize), b.data(), bSize * sizeof(UChar));
    437     m_rep = Rep::create(a.m_rep, 0, length);
     436    if (a.data()) {
     437        memcpy(const_cast<UChar *>(a.data() + aSize), b.data(), bSize * sizeof(UChar));
     438        m_rep = Rep::create(a.m_rep, 0, length);
     439    } else
     440        m_rep = &Rep::null;
    438441  } else if (-bOffset == b.usedPreCapacity() && 4 * bSize >= aSize) {
    439442    // - b reaches the beginning of its buffer so it qualifies for shared prepend
     
    442445    UString y(b);
    443446    y.expandPreCapacity(-bOffset + aSize);
    444     memcpy(const_cast<UChar *>(b.data() - aSize), a.data(), aSize * sizeof(UChar));
    445     m_rep = Rep::create(b.m_rep, -aSize, length);
     447    if (b.data()) {
     448        memcpy(const_cast<UChar *>(b.data() - aSize), a.data(), aSize * sizeof(UChar));
     449        m_rep = Rep::create(b.m_rep, -aSize, length);
     450    } else
     451        m_rep = &Rep::null;
    446452  } else {
    447453    // a does not qualify for append, and b does not qualify for prepend, gotta make a whole new string
    448454    int newCapacity = expandedSize(length, 0);
    449455    UChar *d = static_cast<UChar *>(fastMalloc(sizeof(UChar) * newCapacity));
    450     memcpy(d, a.data(), aSize * sizeof(UChar));
    451     memcpy(d + aSize, b.data(), bSize * sizeof(UChar));
    452     m_rep = Rep::create(d, length);
    453     m_rep->capacity = newCapacity;
     456    if (d) {
     457        memcpy(d, a.data(), aSize * sizeof(UChar));
     458        memcpy(d + aSize, b.data(), bSize * sizeof(UChar));
     459        m_rep = Rep::create(d, length);
     460        m_rep->capacity = newCapacity;
     461    } else
     462        m_rep = &Rep::null;
    454463  }
    455464}
  • trunk/LayoutTests/ChangeLog

    r19175 r19178  
     12007-01-27  Andrew Wellington  <proton@wiretapped.net>
     2
     3        Reviewed by Maciej.
     4       
     5        Test for "Repeated string concatenation results in OOM crash"
     6        http://bugs.webkit.org/show_bug.cgi?id=11131
     7
     8        * fast/js/resources/string-concatenate-outofmemory.js: Added.
     9        * fast/js/string-concatenate-outofmemory-expected.txt: Added.
     10        * fast/js/string-concatenate-outofmemory.html: Added.
     11
    1122007-01-26  Darin Adler  <darin@apple.com>
    213
Note: See TracChangeset for help on using the changeset viewer.