Diff
Modified: trunk/LayoutTests/ChangeLog (135793 => 135794)
--- trunk/LayoutTests/ChangeLog 2012-11-27 01:52:14 UTC (rev 135793)
+++ trunk/LayoutTests/ChangeLog 2012-11-27 02:00:23 UTC (rev 135794)
@@ -1,3 +1,18 @@
+2012-11-26 Daniel Bates <dba...@webkit.org>
+
+ _javascript_ fails to handle String.replace() with large replacement string
+ https://bugs.webkit.org/show_bug.cgi?id=102956
+ <rdar://problem/12738012>
+
+ Reviewed by Oliver Hunt.
+
+ Add test to ensure that we handle string replacement with a large replacement string.
+
+ * fast/js/script-tests/string-replacement-outofmemory.js: Added.
+ (createStringWithRepeatedChar):
+ * fast/js/string-replacement-outofmemory-expected.txt: Added.
+ * fast/js/string-replacement-outofmemory.html: Added.
+
2012-11-26 Varun Jain <varunj...@chromium.org>
LongPress and LongTap gestures should start drag/drop and open context menu respectively.
Added: trunk/LayoutTests/fast/js/script-tests/string-replacement-outofmemory.js (0 => 135794)
--- trunk/LayoutTests/fast/js/script-tests/string-replacement-outofmemory.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/string-replacement-outofmemory.js 2012-11-27 02:00:23 UTC (rev 135794)
@@ -0,0 +1,18 @@
+description(
+'This tests that string replacement with a large replacement string causes an out-of-memory exception. See <a href="" 102956</a> for more details.'
+);
+
+function createStringWithRepeatedChar(c, multiplicity) {
+ while (c.length < multiplicity)
+ c += c;
+ c = c.substring(0, multiplicity);
+ return c;
+}
+
+var x = "1";
+var y = "2";
+x = createStringWithRepeatedChar(x, 1 << 12);
+y = createStringWithRepeatedChar(y, (1 << 20) + 1);
+
+shouldThrow("x.replace(/\\d/g, y)", '"Error: Out of memory"');
+var successfullyParsed = true;
Added: trunk/LayoutTests/fast/js/string-replacement-outofmemory-expected.txt (0 => 135794)
--- trunk/LayoutTests/fast/js/string-replacement-outofmemory-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/string-replacement-outofmemory-expected.txt 2012-11-27 02:00:23 UTC (rev 135794)
@@ -0,0 +1,10 @@
+This tests that string replacement with a large replacement string causes an out-of-memory exception. See bug 102956 for more details.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS x.replace(/\d/g, y) threw exception Error: Out of memory.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/string-replacement-outofmemory.html (0 => 135794)
--- trunk/LayoutTests/fast/js/string-replacement-outofmemory.html (rev 0)
+++ trunk/LayoutTests/fast/js/string-replacement-outofmemory.html 2012-11-27 02:00:23 UTC (rev 135794)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (135793 => 135794)
--- trunk/Source/_javascript_Core/ChangeLog 2012-11-27 01:52:14 UTC (rev 135793)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-11-27 02:00:23 UTC (rev 135794)
@@ -1,3 +1,17 @@
+2012-11-26 Daniel Bates <dba...@webkit.org>
+
+ _javascript_ fails to handle String.replace() with large replacement string
+ https://bugs.webkit.org/show_bug.cgi?id=102956
+ <rdar://problem/12738012>
+
+ Reviewed by Oliver Hunt.
+
+ Fix an issue where we didn't check for overflow when computing the length
+ of the result of String.replace() with a large replacement string.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::jsSpliceSubstringsWithSeparators):
+
2012-11-26 Zeno Albisser <z...@webkit.org>
[Qt] Fix the LLInt build on Mac
Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (135793 => 135794)
--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2012-11-27 01:52:14 UTC (rev 135793)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2012-11-27 02:00:23 UTC (rev 135794)
@@ -338,7 +338,7 @@
return jsString(exec, StringImpl::create(source.impl(), std::max(0, position), std::min(sourceSize, length)));
}
- int totalLength = 0;
+ Checked<int, RecordOverflow> totalLength = 0;
bool allSeperators8Bit = true;
for (int i = 0; i < rangeCount; i++)
totalLength += substringRanges[i].length;
@@ -347,6 +347,8 @@
if (separators[i].length() && !separators[i].is8Bit())
allSeperators8Bit = false;
}
+ if (totalLength.hasOverflowed())
+ return throwOutOfMemoryError(exec);
if (!totalLength)
return jsEmptyString(exec);
@@ -355,7 +357,7 @@
LChar* buffer;
const LChar* sourceData = source.characters8();
- RefPtr<StringImpl> impl = StringImpl::tryCreateUninitialized(totalLength, buffer);
+ RefPtr<StringImpl> impl = StringImpl::tryCreateUninitialized(totalLength.unsafeGet(), buffer);
if (!impl)
return throwOutOfMemoryError(exec);
@@ -380,7 +382,7 @@
}
UChar* buffer;
- RefPtr<StringImpl> impl = StringImpl::tryCreateUninitialized(totalLength, buffer);
+ RefPtr<StringImpl> impl = StringImpl::tryCreateUninitialized(totalLength.unsafeGet(), buffer);
if (!impl)
return throwOutOfMemoryError(exec);
