Title: [254738] trunk
- Revision
- 254738
- Author
- rmoris...@apple.com
- Date
- 2020-01-16 23:16:34 -0800 (Thu, 16 Jan 2020)
Log Message
[ESNext] Enables a way to throw an error on ByteCodeGenerator step
https://bugs.webkit.org/show_bug.cgi?id=180139
Reviewed by Mark Lam.
JSTests:
* stress/eval-huge-big-int-memory-overflow.js: Added.
Source/_javascript_Core:
This is a minimal fix that only deals with overly huge BigInts.
A more thorough solution is rather low priority (since it has neither securities nor performance impact).
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addBigIntConstant):
* bytecompiler/NodesCodegen.cpp:
(JSC::ConstantNode::emitBytecode):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (254737 => 254738)
--- trunk/JSTests/ChangeLog 2020-01-17 06:59:15 UTC (rev 254737)
+++ trunk/JSTests/ChangeLog 2020-01-17 07:16:34 UTC (rev 254738)
@@ -1,3 +1,12 @@
+2020-01-16 Robin Morisset <rmoris...@apple.com>
+
+ [ESNext] Enables a way to throw an error on ByteCodeGenerator step
+ https://bugs.webkit.org/show_bug.cgi?id=180139
+
+ Reviewed by Mark Lam.
+
+ * stress/eval-huge-big-int-memory-overflow.js: Added.
+
2020-01-16 Keith Miller <keith_mil...@apple.com>
Reland bytecode checkpoints since bugs have been fixed
Added: trunk/JSTests/stress/eval-huge-big-int-memory-overflow.js (0 => 254738)
--- trunk/JSTests/stress/eval-huge-big-int-memory-overflow.js (rev 0)
+++ trunk/JSTests/stress/eval-huge-big-int-memory-overflow.js 2020-01-17 07:16:34 UTC (rev 254738)
@@ -0,0 +1,5 @@
+//@ if $memoryLimited then skip else runDefault end
+
+try {
+ eval('1'.repeat(2**20)+'n');
+} catch {}
Modified: trunk/Source/_javascript_Core/ChangeLog (254737 => 254738)
--- trunk/Source/_javascript_Core/ChangeLog 2020-01-17 06:59:15 UTC (rev 254737)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-01-17 07:16:34 UTC (rev 254738)
@@ -1,3 +1,20 @@
+2020-01-16 Robin Morisset <rmoris...@apple.com>
+
+ [ESNext] Enables a way to throw an error on ByteCodeGenerator step
+ https://bugs.webkit.org/show_bug.cgi?id=180139
+
+ Reviewed by Mark Lam.
+
+ This is a minimal fix that only deals with overly huge BigInts.
+ A more thorough solution is rather low priority (since it has neither securities nor performance impact).
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::addBigIntConstant):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ConstantNode::emitBytecode):
+ * runtime/JSBigInt.cpp:
+ (JSC::JSBigInt::parseInt):
+
2020-01-16 Keith Miller <keith_mil...@apple.com>
Reland bytecode checkpoints since bugs have been fixed
Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (254737 => 254738)
--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2020-01-17 06:59:15 UTC (rev 254737)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2020-01-17 07:16:34 UTC (rev 254738)
@@ -2880,10 +2880,7 @@
auto scope = DECLARE_CATCH_SCOPE(vm());
auto parseIntSign = sign ? JSBigInt::ParseIntSign::Signed : JSBigInt::ParseIntSign::Unsigned;
JSBigInt* bigIntInMap = JSBigInt::parseInt(nullptr, vm(), identifier.string(), radix, JSBigInt::ErrorParseMode::ThrowExceptions, parseIntSign);
- // FIXME: [ESNext] Enables a way to throw an error on ByteCodeGenerator step
- // https://bugs.webkit.org/show_bug.cgi?id=180139
scope.assertNoException();
- RELEASE_ASSERT(bigIntInMap);
addConstantValue(bigIntInMap);
return bigIntInMap;
Modified: trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (254737 => 254738)
--- trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2020-01-17 06:59:15 UTC (rev 254737)
+++ trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2020-01-17 07:16:34 UTC (rev 254738)
@@ -119,7 +119,12 @@
{
if (dst == generator.ignoredResult())
return 0;
- return generator.emitLoad(dst, jsValue(generator));
+ JSValue constant = jsValue(generator);
+ if (UNLIKELY(!constant)) {
+ // This can happen if we try to parse a string or BigInt so enormous that we OOM.
+ return generator.emitThrowExpressionTooDeepException();
+ }
+ return generator.emitLoad(dst, constant);
}
JSValue StringNode::jsValue(BytecodeGenerator& generator) const
Modified: trunk/Source/_javascript_Core/runtime/JSBigInt.cpp (254737 => 254738)
--- trunk/Source/_javascript_Core/runtime/JSBigInt.cpp 2020-01-17 06:59:15 UTC (rev 254737)
+++ trunk/Source/_javascript_Core/runtime/JSBigInt.cpp 2020-01-17 07:16:34 UTC (rev 254738)
@@ -1875,6 +1875,9 @@
JSBigInt* result = allocateFor(globalObject, vm, radix, length - p);
RETURN_IF_EXCEPTION(scope, nullptr);
+ // result can still be null if we don't have access to global object, as allocateFor cannot throw an exception in that case.
+ if (!result)
+ return nullptr;
result->initialize(InitializationType::WithZero);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes