Changeset 239355 in webkit

Timestamp:

Dec 18, 2018 2:24:33 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

JSON.stringify() should throw OOM on StringBuilder overflows.
​https://bugs.webkit.org/show_bug.cgi?id=192822
<rdar://problem/46670577>

Reviewed by Saam Barati.

JSTests:

• stress/json-stringify-string-builder-overflow.js: Added.

Source/JavaScriptCore:

• runtime/JSONObject.cpp:

(JSC::Stringifier::stringify):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::appendNextProperty):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/json-stringify-string-builder-overflow.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSONObject.cpp (modified) (6 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-12-18  Mark Lam  <mark.lam@apple.com>
+
+        JSON.stringify() should throw OOM on StringBuilder overflows.
+        https://bugs.webkit.org/show_bug.cgi?id=192822
+        <rdar://problem/46670577>
+
+        Reviewed by Saam Barati.
+
+        * stress/json-stringify-string-builder-overflow.js: Added.
+
 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-12-18  Mark Lam  <mark.lam@apple.com>
+
+        JSON.stringify() should throw OOM on StringBuilder overflows.
+        https://bugs.webkit.org/show_bug.cgi?id=192822
+        <rdar://problem/46670577>
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::stringify):
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::Stringifier::Holder::appendNextProperty):
+
 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -270 +270 @@
     if (isCallableReplacer()) {
         object = constructEmptyObject(m_exec);
-        RETURN_IF_EXCEPTION(scope, jsNull());
+        RETURN_IF_EXCEPTION(scope, jsUndefined());
         object->putDirect(vm, vm.propertyNames->emptyIdentifier, value);
     }
@@ -277 +277 @@
     Holder root(Holder::RootHolder, object);
     auto stringifyResult = appendStringifiedValue(result, value, root, emptyPropertyName);
-    EXCEPTION_ASSERT(!scope.exception() || (stringifyResult != StringifySucceeded));
+    RETURN_IF_EXCEPTION(scope, jsUndefined());
+    if (UNLIKELY(result.hasOverflowed())) {
+        throwOutOfMemoryError(m_exec, scope);
+        return jsUndefined();
+    }
     if (UNLIKELY(stringifyResult != StringifySucceeded))
         return jsUndefined();
-
     RELEASE_AND_RETURN(scope, jsString(m_exec, result.toString()));
 }
@@ -360 +363 @@
         RETURN_IF_EXCEPTION(scope, StringifyFailed);
         builder.appendQuotedJSONString(string);
-        if (UNLIKELY(builder.hasOverflowed())) {
-            throwOutOfMemoryError(m_exec, scope);
-            return StringifyFailed;
-        }
         return StringifySucceeded;
     }
@@ -392 +391 @@
     }
 
+    if (UNLIKELY(builder.hasOverflowed()))
+        return StringifyFailed;
+
     // Handle cycle detection, and put the holder on the stack.
     for (unsigned i = 0; i < m_holderStack.size(); i++) {
@@ -411 +413 @@
             RETURN_IF_EXCEPTION(scope, StringifyFailed);
         RETURN_IF_EXCEPTION(scope, StringifyFailed);
+        if (UNLIKELY(builder.hasOverflowed()))
+            return StringifyFailed;
         m_holderStack.removeLast();
         m_objectStack.removeLast();
@@ -494 +498 @@
         stringifier.indent();
     }
+    if (UNLIKELY(builder.hasOverflowed()))
+        return false;
 
     // Last time through, finish up and return false.