Changeset 202415 in webkit


Ignore:
Timestamp:
Jun 23, 2016 9:39:35 PM (8 years ago)
Author:
commit-queue@webkit.org
Message:

OOM Assertion failure in Array.prototype.toString
https://bugs.webkit.org/show_bug.cgi?id=158793

Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-06-23
Reviewed by Saam Barati.

Source/JavaScriptCore:

JSString::create() taking a StringImpl was using a signed integer
for the length of the string.
The problem is StringImpl uses an unsigned integer. When a large string
was passed to JSString, the signed integer would be negative and crash
JSString.

  • runtime/JSString.h:

(JSC::JSString::create):

LayoutTests:

  • js/script-tests/stringimpl-to-jsstring-on-large-strings-1.js: Added.

(string_appeared_here.createStrings):

  • js/script-tests/stringimpl-to-jsstring-on-large-strings-2.js: Added.

(string_appeared_here.createRegexp):
(catch):

  • js/script-tests/stringimpl-to-jsstring-on-large-strings-3.js: Added.

(string_appeared_here.createStrings):
(catch):

  • js/stringimpl-to-jsstring-on-large-strings-1-expected.txt: Added.
  • js/stringimpl-to-jsstring-on-large-strings-1.html: Added.
  • js/stringimpl-to-jsstring-on-large-strings-2-expected.txt: Added.
  • js/stringimpl-to-jsstring-on-large-strings-2.html: Added.
  • js/stringimpl-to-jsstring-on-large-strings-3-expected.txt: Added.
  • js/stringimpl-to-jsstring-on-large-strings-3.html: Added.
Location:
trunk
Files:
9 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r202414 r202415  
     12016-06-23  Benjamin Poulain  <bpoulain@apple.com>
     2
     3        OOM Assertion failure in Array.prototype.toString
     4        https://bugs.webkit.org/show_bug.cgi?id=158793
     5
     6        Reviewed by Saam Barati.
     7
     8        * js/script-tests/stringimpl-to-jsstring-on-large-strings-1.js: Added.
     9        (string_appeared_here.createStrings):
     10        * js/script-tests/stringimpl-to-jsstring-on-large-strings-2.js: Added.
     11        (string_appeared_here.createRegexp):
     12        (catch):
     13        * js/script-tests/stringimpl-to-jsstring-on-large-strings-3.js: Added.
     14        (string_appeared_here.createStrings):
     15        (catch):
     16        * js/stringimpl-to-jsstring-on-large-strings-1-expected.txt: Added.
     17        * js/stringimpl-to-jsstring-on-large-strings-1.html: Added.
     18        * js/stringimpl-to-jsstring-on-large-strings-2-expected.txt: Added.
     19        * js/stringimpl-to-jsstring-on-large-strings-2.html: Added.
     20        * js/stringimpl-to-jsstring-on-large-strings-3-expected.txt: Added.
     21        * js/stringimpl-to-jsstring-on-large-strings-3.html: Added.
     22
    1232016-06-23  Brady Eidson  <beidson@apple.com>
    224

  • trunk/Source/JavaScriptCore/ChangeLog

    r202413 r202415  
     12016-06-23  Benjamin Poulain  <bpoulain@apple.com>
     2
     3        OOM Assertion failure in Array.prototype.toString
     4        https://bugs.webkit.org/show_bug.cgi?id=158793
     5
     6        Reviewed by Saam Barati.
     7
     8        JSString::create() taking a StringImpl was using a signed integer
     9        for the length of the string.
     10        The problem is StringImpl uses an unsigned integer. When a large string
     11        was passed to JSString, the signed integer would be negative and crash
     12        JSString.
     13
     14        * runtime/JSString.h:
     15        (JSC::JSString::create):
     16
    1172016-06-23  Joseph Pecoraro  <pecoraro@apple.com> and Yusuke Suzuki  <utatane.tea@gmail.com>
    218

  • trunk/Source/JavaScriptCore/runtime/JSString.h

    r201782 r202415  
    133133    {
    134134        ASSERT(value);
    135         int32_t length = value->length();
    136         RELEASE_ASSERT(length >= 0);
     135        unsigned length = value->length();
    137136        size_t cost = value->cost();
    138137        JSString* newString = new (NotNull, allocateCell<JSString>(vm.heap)) JSString(vm, value);
Note: See TracChangeset for help on using the changeset viewer.