Title: [273373] trunk
- Revision
- 273373
- Author
- commit-qu...@webkit.org
- Date
- 2021-02-24 00:05:43 -0800 (Wed, 24 Feb 2021)
Log Message
Null check ArrayBufferView RefPtr
https://bugs.webkit.org/show_bug.cgi?id=221569
Patch by Rob Buis <rb...@igalia.com> on 2021-02-24
Reviewed by Yusuke Suzuki.
Source/_javascript_Core:
Null check ArrayBufferView RefPtr before using it.
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::unsharedImpl):
LayoutTests:
Add test to verify oom situation does not result in a crash.
* crypto/crypto-random-values-oom-expected.txt: Added.
* crypto/crypto-random-values-oom.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (273372 => 273373)
--- trunk/LayoutTests/ChangeLog 2021-02-24 05:34:19 UTC (rev 273372)
+++ trunk/LayoutTests/ChangeLog 2021-02-24 08:05:43 UTC (rev 273373)
@@ -1,3 +1,15 @@
+2021-02-24 Rob Buis <rb...@igalia.com>
+
+ Null check ArrayBufferView RefPtr
+ https://bugs.webkit.org/show_bug.cgi?id=221569
+
+ Reviewed by Yusuke Suzuki.
+
+ Add test to verify oom situation does not result in a crash.
+
+ * crypto/crypto-random-values-oom-expected.txt: Added.
+ * crypto/crypto-random-values-oom.html: Added.
+
2021-02-23 Sam Weinig <wei...@apple.com>
Fix model test differences between platforms
Added: trunk/LayoutTests/crypto/crypto-random-values-oom-expected.txt (0 => 273373)
--- trunk/LayoutTests/crypto/crypto-random-values-oom-expected.txt (rev 0)
+++ trunk/LayoutTests/crypto/crypto-random-values-oom-expected.txt 2021-02-24 08:05:43 UTC (rev 273373)
@@ -0,0 +1,11 @@
+Test crypto.getRandomValues behavior in oom situation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS exceptionString == undefined || exceptionString === "TypeError: Argument 1 ('array') to Crypto.getRandomValues must be an instance of ArrayBufferView" is true
+PASS crypto.getRandomValues didn't crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/crypto/crypto-random-values-oom.html (0 => 273373)
--- trunk/LayoutTests/crypto/crypto-random-values-oom.html (rev 0)
+++ trunk/LayoutTests/crypto/crypto-random-values-oom.html 2021-02-24 08:05:43 UTC (rev 273373)
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<script src=""
+</head>
+<body>
+<script>
+description("Test crypto.getRandomValues behavior in oom situation.")
+
+let exceptionString = undefined;
+
+function useAllMemory() {
+ const a = [0];
+ a.__proto__ = {};
+ Object.defineProperty(a, 0, {get: foo});
+ Object.defineProperty(a, 80000000, {});
+
+ function foo() {
+ new Uint8Array(a);
+ }
+
+ new Promise(foo);
+ try {
+ for (let i = 0; i < 2**32; i++) {
+ new ArrayBuffer(1000);
+ }
+ } catch {
+ }
+}
+
+useAllMemory();
+try {
+ crypto.getRandomValues(new Uint8Array());
+} catch (e) {
+ gc();
+ exceptionString = e.toString();
+}
+gc();
+shouldBeTrue("exceptionString == undefined || exceptionString === \"TypeError: Argument 1 ('array') to Crypto.getRandomValues must be an instance of ArrayBufferView\"");
+testPassed("crypto.getRandomValues didn't crash");
+</script>
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (273372 => 273373)
--- trunk/Source/_javascript_Core/ChangeLog 2021-02-24 05:34:19 UTC (rev 273372)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-02-24 08:05:43 UTC (rev 273373)
@@ -1,3 +1,15 @@
+2021-02-24 Rob Buis <rb...@igalia.com>
+
+ Null check ArrayBufferView RefPtr
+ https://bugs.webkit.org/show_bug.cgi?id=221569
+
+ Reviewed by Yusuke Suzuki.
+
+ Null check ArrayBufferView RefPtr before using it.
+
+ * runtime/JSArrayBufferViewInlines.h:
+ (JSC::JSArrayBufferView::unsharedImpl):
+
2021-02-23 Michael Saboff <msab...@apple.com>
[YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h (273372 => 273373)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h 2021-02-24 05:34:19 UTC (rev 273372)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h 2021-02-24 08:05:43 UTC (rev 273373)
@@ -76,7 +76,7 @@
inline RefPtr<ArrayBufferView> JSArrayBufferView::unsharedImpl()
{
RefPtr<ArrayBufferView> result = possiblySharedImpl();
- RELEASE_ASSERT(!result->isShared());
+ RELEASE_ASSERT(!result || !result->isShared());
return result;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
