Context Navigation

← Previous Changeset
Next Changeset →

Changeset 242910 in webkit

Timestamp:

Mar 13, 2019 2:42:17 PM (5 years ago)

Author:

dinfuehr@igalia.com

Message:

String overflow when using StringBuilder in JSC::createError
https://bugs.webkit.org/show_bug.cgi?id=194957

Reviewed by Mark Lam.

JSTests:

Add test string-overflow-createError-bulder.js that overflows
StringBuilder in notAFunctionSourceAppender. The second new test
string-overflow-createError-fit.js has an error message that doesn't
overflow, it still failed since the String's capacity can't be doubled.
Run test string-overflow-createError.js only in the default
configuration to reduce memory consumption when running the test
in all configurations on multiple CPUs in parallel.

stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.

(catch):

stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.

(catch):

stress/string-overflow-createError.js:

Source/JavaScriptCore:

StringBuilder in notAFunctionSourceAppender didn't check
for overflows but just failed.

runtime/ExceptionHelpers.cpp:

(JSC::notAFunctionSourceAppender):

Source/WTF:

When calculating the new capacity of a StringBuilder object,
use a limit of MaxLength instead of MaxLength+1. Allocating
a string of size MaxLength+1 always fails. This means that expanding
a StringBuilder only worked when the newly doubled capacity is less or
equal to MaxLength.

wtf/text/StringBuilder.cpp:

Location:

trunk

Files:

: 2 added
: 6 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/string-overflow-createError-builder.js (added)
JSTests/stress/string-overflow-createError-fit.js (added)
JSTests/stress/string-overflow-createError.js (modified) (2 diffs)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/ExceptionHelpers.cpp (modified) (2 diffs)
Source/WTF/ChangeLog (modified) (1 diff)
Source/WTF/wtf/text/StringBuilder.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r242841
+                      r242910
+-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
+        String overflow when using StringBuilder in JSC::createError
+        https://bugs.webkit.org/show_bug.cgi?id=194957
+        Reviewed by Mark Lam.
+        Add test string-overflow-createError-bulder.js that overflows
+        StringBuilder in notAFunctionSourceAppender. The second new test
+        string-overflow-createError-fit.js has an error message that doesn't
+        overflow, it still failed since the String's capacity can't be doubled.
+        Run test string-overflow-createError.js only in the default
+        configuration to reduce memory consumption when running the test
+        in all configurations on multiple CPUs in parallel.
+        * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
+        (catch):
+        * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
+        (catch):
+        * stress/string-overflow-createError.js:
 -03-12  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/JSTests/stress/string-overflow-createError.js

-                      r239560
+                      r242910
 //@ skip if $memoryLimited
+//@ runDefault
 var exception;
 try {
 …
+}
+// Creating the error message for the TypeError overflows
+// the string and therefore an out-of-memory error is thrown.
 if (exception != "Error: Out of memory")
     throw "FAILED";

trunk/Source/JavaScriptCore/ChangeLog

-                      r242902
+                      r242910
+-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
+        String overflow when using StringBuilder in JSC::createError
+        https://bugs.webkit.org/show_bug.cgi?id=194957
+        Reviewed by Mark Lam.
+        StringBuilder in notAFunctionSourceAppender didn't check
+        for overflows but just failed.
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::notAFunctionSourceAppender):
 -03-11  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp

-                      r242596
+                      r242910
     if (!base)
         return defaultApproximateSourceError(originalMessage, sourceText);
     StringBuilder builder;
+    StringBuilder builder(StringBuilder::OverflowHandler::RecordOverflow);
     builder.append(base);
     builder.appendLiteral(" is not a function. (In '");
 …
     builder.append(')');
+    if (builder.hasOverflowed())
+        return makeString("object is not a function."_s);
     return builder.toString();
+}

trunk/Source/WTF/ChangeLog

-                      r242909
+                      r242910
+-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
+        String overflow when using StringBuilder in JSC::createError
+        https://bugs.webkit.org/show_bug.cgi?id=194957
+        Reviewed by Mark Lam.
+        When calculating the new capacity of a StringBuilder object,
+        use a limit of MaxLength instead of MaxLength+1.  Allocating
+        a string of size MaxLength+1 always fails. This means that expanding
+        a StringBuilder only worked when the newly doubled capacity is less or
+        equal to MaxLength.
+        * wtf/text/StringBuilder.cpp:
 -03-13  Chris Dumez  <cdumez@apple.com>

trunk/Source/WTF/wtf/text/StringBuilder.cpp

r242360	r242910
35	35	namespace WTF {
36	36
37		static constexpr unsigned maxCapacity = String::MaxLength ~~+ 1~~;
	37	static constexpr unsigned maxCapacity = String::MaxLength;
38	38
39	39	static unsigned expandedCapacity(unsigned capacity, unsigned requiredLength)

Note: See TracChangeset for help on using the changeset viewer.