[webkit-changes] [286462] trunk

[sbarati]

Title: [286462] trunk

Revision

286462

Author

sbar...@apple.com

Date

2021-12-02 16:12:52 -0800 (Thu, 02 Dec 2021)

Log Message

Fix OOM crash in JSValue::toWTFStringForConsole
https://bugs.webkit.org/show_bug.cgi?id=233775
<rdar://85259423>

Reviewed by Mark Lam.

JSTests:

* stress/pretty-print-oom.js: Added.

Source/_javascript_Core:

* runtime/JSCJSValue.cpp:
(JSC::JSValue::toWTFStringForConsole const):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp

Added Paths

• trunk/JSTests/stress/pretty-print-oom.js

Diff

Modified: trunk/JSTests/ChangeLog (286461 => 286462)

--- trunk/JSTests/ChangeLog	2021-12-02 23:49:57 UTC (rev 286461)
+++ trunk/JSTests/ChangeLog	2021-12-03 00:12:52 UTC (rev 286462)
@@ -1,3 +1,13 @@
+2021-12-02  Saam Barati  <sbar...@apple.com>
+
+        Fix OOM crash in JSValue::toWTFStringForConsole
+        https://bugs.webkit.org/show_bug.cgi?id=233775
+        <rdar://85259423>
+
+        Reviewed by Mark Lam.
+
+        * stress/pretty-print-oom.js: Added.
+
 2021-11-30  Saam Barati  <sbar...@apple.com>
 
         GetMyArgumentByValOutOfBounds needs to check for negative indices

Added: trunk/JSTests/stress/pretty-print-oom.js (0 => 286462)

--- trunk/JSTests/stress/pretty-print-oom.js	                        (rev 0)
+++ trunk/JSTests/stress/pretty-print-oom.js	2021-12-03 00:12:52 UTC (rev 286462)
@@ -0,0 +1,4 @@
+//@ skip if $memoryLimited
+//@ runNoisyTestDefault
+
+prettyPrint('a'.repeat(2 ** 31 - 1));

Modified: trunk/Source/_javascript_Core/ChangeLog (286461 => 286462)

--- trunk/Source/_javascript_Core/ChangeLog	2021-12-02 23:49:57 UTC (rev 286461)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-12-03 00:12:52 UTC (rev 286462)
@@ -1,3 +1,14 @@
+2021-12-02  Saam Barati  <sbar...@apple.com>
+
+        Fix OOM crash in JSValue::toWTFStringForConsole
+        https://bugs.webkit.org/show_bug.cgi?id=233775
+        <rdar://85259423>
+
+        Reviewed by Mark Lam.
+
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toWTFStringForConsole const):
+
 2021-12-02  Zan Dobersek  <zdober...@igalia.com>
 
         [RISCV64] Fix effective address loading for LabelReferences with offsets

Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (286461 => 286462)

--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp	2021-12-02 23:49:57 UTC (rev 286461)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp	2021-12-03 00:12:52 UTC (rev 286462)
@@ -474,9 +474,9 @@
     String result = string->value(globalObject);
     RETURN_IF_EXCEPTION(scope, { });
     if (isString())
-        return makeString("\"", result, "\"");
+        return tryMakeString("\"", result, "\"");
     if (jsDynamicCast<JSArray*>(vm, *this))
-        return makeString("[", result, "]");
+        return tryMakeString("[", result, "]");
     return result;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes