Title: [226100] releases/WebKitGTK/webkit-2.18
- Revision
- 226100
- Author
- carlo...@webkit.org
- Date
- 2017-12-18 22:21:20 -0800 (Mon, 18 Dec 2017)
Log Message
Merge r223731 - Stringifier::appendStringifiedValue() is missing an exception check.
https://bugs.webkit.org/show_bug.cgi?id=178386
<rdar://problem/35027610>
Reviewed by Saam Barati.
JSTests:
* stress/regress-178386.js: Added.
Source/_javascript_Core:
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (226099 => 226100)
--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2017-12-19 06:20:01 UTC (rev 226099)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2017-12-19 06:21:20 UTC (rev 226100)
@@ -1,3 +1,13 @@
+2017-10-19 Mark Lam <mark....@apple.com>
+
+ Stringifier::appendStringifiedValue() is missing an exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=178386
+ <rdar://problem/35027610>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-178386.js: Added.
+
2017-10-18 Mark Lam <mark....@apple.com>
The compiler should always register a structure when it adds its transitionWatchPointSet.
Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-178386.js (0 => 226100)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-178386.js (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-178386.js 2017-12-19 06:21:20 UTC (rev 226100)
@@ -0,0 +1,12 @@
+var str1 = String.fromCharCode(136, 115, 29, 20, 15, 155, 81);
+str3 = str1.padEnd(0x7FFFFFFC, '123');
+
+var exception;
+try {
+ JSON.stringify(str3);
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (226099 => 226100)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2017-12-19 06:20:01 UTC (rev 226099)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2017-12-19 06:21:20 UTC (rev 226100)
@@ -1,3 +1,14 @@
+2017-10-19 Mark Lam <mark....@apple.com>
+
+ Stringifier::appendStringifiedValue() is missing an exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=178386
+ <rdar://problem/35027610>
+
+ Reviewed by Saam Barati.
+
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+
2017-10-18 Mark Lam <mark....@apple.com>
The compiler should always register a structure when it adds its transitionWatchPointSet.
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSONObject.cpp (226099 => 226100)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSONObject.cpp 2017-12-19 06:20:01 UTC (rev 226099)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSONObject.cpp 2017-12-19 06:21:20 UTC (rev 226100)
@@ -355,7 +355,9 @@
}
if (value.isString()) {
- builder.appendQuotedJSONString(asString(value)->value(m_exec));
+ const String& string = asString(value)->value(m_exec);
+ RETURN_IF_EXCEPTION(scope, StringifyFailed);
+ builder.appendQuotedJSONString(string);
return StringifySucceeded;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
