Title: [230236] branches/safari-605-branch
- Revision
- 230236
- Author
- jmarc...@apple.com
- Date
- 2018-04-03 20:27:26 -0700 (Tue, 03 Apr 2018)
Log Message
Cherry-pick r230026. rdar://problem/39155085
appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
https://bugs.webkit.org/show_bug.cgi?id=183894
Reviewed by Saam Barati.
JSTests:
* stress/json-stringified-overflow.js: Added.
(catch):
Source/_javascript_Core:
Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
Source/WTF:
appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
to fit in 4GB.
* wtf/text/StringBuilder.h:
* wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230026 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (230235 => 230236)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-04-04 03:27:23 UTC (rev 230235)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-04-04 03:27:26 UTC (rev 230236)
@@ -1,5 +1,48 @@
2018-04-03 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r230026. rdar://problem/39155085
+
+ appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+ https://bugs.webkit.org/show_bug.cgi?id=183894
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/json-stringified-overflow.js: Added.
+ (catch):
+
+ Source/_javascript_Core:
+
+ Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
+
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+
+ Source/WTF:
+
+ appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
+ to fit in 4GB.
+
+ * wtf/text/StringBuilder.h:
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230026 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-03-28 Robin Morisset <rmoris...@apple.com>
+
+ appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+ https://bugs.webkit.org/show_bug.cgi?id=183894
+
+ Reviewed by Saam Barati.
+
+ * stress/json-stringified-overflow.js: Added.
+ (catch):
+
+2018-04-03 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r229850. rdar://problem/39155286
Race Condition in arrayProtoFuncReverse() causes wrong results or crash
Added: branches/safari-605-branch/JSTests/stress/json-stringified-overflow.js (0 => 230236)
--- branches/safari-605-branch/JSTests/stress/json-stringified-overflow.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/json-stringified-overflow.js 2018-04-04 03:27:26 UTC (rev 230236)
@@ -0,0 +1,3 @@
+try {
+ JSON.stringify("123".padStart(1073741823))
+} catch (e) {}
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (230235 => 230236)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-04-04 03:27:23 UTC (rev 230235)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-04-04 03:27:26 UTC (rev 230236)
@@ -1,5 +1,50 @@
2018-04-03 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r230026. rdar://problem/39155085
+
+ appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+ https://bugs.webkit.org/show_bug.cgi?id=183894
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/json-stringified-overflow.js: Added.
+ (catch):
+
+ Source/_javascript_Core:
+
+ Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
+
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+
+ Source/WTF:
+
+ appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
+ to fit in 4GB.
+
+ * wtf/text/StringBuilder.h:
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230026 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-03-28 Robin Morisset <rmoris...@apple.com>
+
+ appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+ https://bugs.webkit.org/show_bug.cgi?id=183894
+
+ Reviewed by Saam Barati.
+
+ Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
+
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+
+2018-04-03 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r229962. rdar://problem/39122091
r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSONObject.cpp (230235 => 230236)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSONObject.cpp 2018-04-04 03:27:23 UTC (rev 230235)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSONObject.cpp 2018-04-04 03:27:26 UTC (rev 230236)
@@ -357,8 +357,10 @@
if (value.isString()) {
const String& string = asString(value)->value(m_exec);
RETURN_IF_EXCEPTION(scope, StringifyFailed);
- builder.appendQuotedJSONString(string);
- return StringifySucceeded;
+ if (builder.appendQuotedJSONString(string))
+ return StringifySucceeded;
+ throwOutOfMemoryError(m_exec, scope);
+ return StringifyFailed;
}
if (value.isNumber()) {
Modified: branches/safari-605-branch/Source/WTF/ChangeLog (230235 => 230236)
--- branches/safari-605-branch/Source/WTF/ChangeLog 2018-04-04 03:27:23 UTC (rev 230235)
+++ branches/safari-605-branch/Source/WTF/ChangeLog 2018-04-04 03:27:26 UTC (rev 230236)
@@ -1,3 +1,50 @@
+2018-04-03 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r230026. rdar://problem/39155085
+
+ appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+ https://bugs.webkit.org/show_bug.cgi?id=183894
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/json-stringified-overflow.js: Added.
+ (catch):
+
+ Source/_javascript_Core:
+
+ Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
+
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+
+ Source/WTF:
+
+ appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
+ to fit in 4GB.
+
+ * wtf/text/StringBuilder.h:
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230026 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-03-28 Robin Morisset <rmoris...@apple.com>
+
+ appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+ https://bugs.webkit.org/show_bug.cgi?id=183894
+
+ Reviewed by Saam Barati.
+
+ appendQuotedJSONString now returns a bool indicating whether it succeeded, instead of silently failing when given a string too large
+ to fit in 4GB.
+
+ * wtf/text/StringBuilder.h:
+ * wtf/text/StringBuilderJSON.cpp:
+ (WTF::StringBuilder::appendQuotedJSONString):
+
2018-02-15 Jason Marcell <jmarc...@apple.com>
Cherry-pick r228481. rdar://problem/37570863
Modified: branches/safari-605-branch/Source/WTF/wtf/text/StringBuilder.h (230235 => 230236)
--- branches/safari-605-branch/Source/WTF/wtf/text/StringBuilder.h 2018-04-04 03:27:23 UTC (rev 230235)
+++ branches/safari-605-branch/Source/WTF/wtf/text/StringBuilder.h 2018-04-04 03:27:26 UTC (rev 230236)
@@ -174,7 +174,7 @@
append(U16_TRAIL(c));
}
- WTF_EXPORT_PRIVATE void appendQuotedJSONString(const String&);
+ WTF_EXPORT_PRIVATE bool appendQuotedJSONString(const String&);
template<unsigned characterCount>
ALWAYS_INLINE void appendLiteral(const char (&characters)[characterCount]) { append(characters, characterCount - 1); }
Modified: branches/safari-605-branch/Source/WTF/wtf/text/StringBuilderJSON.cpp (230235 => 230236)
--- branches/safari-605-branch/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-04-04 03:27:23 UTC (rev 230235)
+++ branches/safari-605-branch/Source/WTF/wtf/text/StringBuilderJSON.cpp 2018-04-04 03:27:26 UTC (rev 230236)
@@ -74,16 +74,18 @@
}
}
-void StringBuilder::appendQuotedJSONString(const String& string)
+bool StringBuilder::appendQuotedJSONString(const String& string)
{
// Make sure we have enough buffer space to append this string without having
// to worry about reallocating in the middle.
// The 2 is for the '"' quotes on each end.
// The 6 is for characters that need to be \uNNNN encoded.
- Checked<unsigned> stringLength = string.length();
- Checked<unsigned> maximumCapacityRequired = length();
+ Checked<unsigned, RecordOverflow> stringLength = string.length();
+ Checked<unsigned, RecordOverflow> maximumCapacityRequired = length();
maximumCapacityRequired += 2 + stringLength * 6;
- unsigned allocationSize = maximumCapacityRequired.unsafeGet();
+ unsigned allocationSize;
+ if (CheckedState::DidOverflow == maximumCapacityRequired.safeGet(allocationSize))
+ return false;
// This max() is here to allow us to allocate sizes between the range [2^31, 2^32 - 2] because roundUpToPowerOfTwo(1<<31 + some int smaller than 1<<31) == 0.
// FIXME: roundUpToPowerOfTwo should take Checked<unsigned> and abort if it fails to round up.
// https://bugs.webkit.org/show_bug.cgi?id=176086
@@ -113,6 +115,7 @@
m_length = output - m_bufferCharacters16;
}
ASSERT(m_buffer->length() >= m_length);
+ return true;
}
} // namespace WTF
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
