Changeset 259481 in webkit

Timestamp:

Apr 3, 2020 11:40:05 AM (4 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] canonicalizeLocaleList should gracefully throw OOM error if input + error message is too large
​https://bugs.webkit.org/show_bug.cgi?id=209971
<rdar://problem/61258621>

Reviewed by Mark Lam.

JSTests:

• stress/intl-canonicalize-locale-list-error-oom.js: Added.

(shouldThrow):

Source/JavaScriptCore:

canonicalizeLocaleList generates error-message with input. If input is too large, error-message string
generation could fail due to OOM. We should gracefully throw OOM error instead of crashing. This strategy
follows to createError's error-message generation: if error-message generation fails, throwing OOM error.

• runtime/IntlObject.cpp:

(JSC::canonicalizeLocaleList):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/intl-canonicalize-locale-list-error-oom.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/IntlObject.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] canonicalizeLocaleList should gracefully throw OOM error if input + error message is too large
+        https://bugs.webkit.org/show_bug.cgi?id=209971
+        <rdar://problem/61258621>
+
+        Reviewed by Mark Lam.
+
+        * stress/intl-canonicalize-locale-list-error-oom.js: Added.
+        (shouldThrow):
+
 2020-04-03  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] canonicalizeLocaleList should gracefully throw OOM error if input + error message is too large
+        https://bugs.webkit.org/show_bug.cgi?id=209971
+        <rdar://problem/61258621>
+
+        Reviewed by Mark Lam.
+
+        canonicalizeLocaleList generates error-message with input. If input is too large, error-message string
+        generation could fail due to OOM. We should gracefully throw OOM error instead of crashing. This strategy
+        follows to `createError`'s error-message generation: if error-message generation fails, throwing OOM error.
+
+        * runtime/IntlObject.cpp:
+        (JSC::canonicalizeLocaleList):
+
 2020-04-03  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/runtime/IntlObject.cpp

@@ -634 +634 @@
             if (!kValue.isString() && !kValue.isObject()) {
                 throwTypeError(globalObject, scope, "locale value must be a string or object"_s);
-                return Vector<String>();
+                return { };
             }
 
@@ -645 +645 @@
             String canonicalizedTag = canonicalizeLanguageTag(tagValue);
             if (canonicalizedTag.isNull()) {
-                throwException(globalObject, scope, createRangeError(globalObject, "invalid language tag: " + tagValue));
-                return Vector<String>();
+                String errorMessage = tryMakeString("invalid language tag: ", tagValue);
+                if (UNLIKELY(!errorMessage)) {
+                    throwException(globalObject, scope, createOutOfMemoryError(globalObject));
+                    return { };
+                }
+                throwException(globalObject, scope, createRangeError(globalObject, errorMessage));
+                return { };
             }