Changeset 19178 in webkit for trunk/JavaScriptCore

Timestamp:

Jan 26, 2007, 6:31:28 PM (18 years ago)

Author:

aliceli1

Message:

JavaScriptCore:

Reviewed by Maciej.

Fix for Repeated string concatenation results in OOM crash
​http://bugs.webkit.org/show_bug.cgi?id=11131

• kjs/operations.cpp: (KJS::add): Throw exception if string addition result is null
• kjs/ustring.cpp: (KJS::UString::UString): Don't call memcpy when malloc failed

LayoutTests:

Reviewed by Maciej.

Test for "Repeated string concatenation results in OOM crash"
​http://bugs.webkit.org/show_bug.cgi?id=11131

• fast/js/resources/string-concatenate-outofmemory.js: Added.
• fast/js/string-concatenate-outofmemory-expected.txt: Added.
• fast/js/string-concatenate-outofmemory.html: Added.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• kjs/operations.cpp (modified) (1 diff)
• kjs/ustring.cpp (modified) (2 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-01-27  Andrew Wellington  <[email protected]>
+
+        Reviewed by Maciej.
+        
+        Fix for Repeated string concatenation results in OOM crash
+        http://bugs.webkit.org/show_bug.cgi?id=11131
+
+        * kjs/operations.cpp:
+        (KJS::add): Throw exception if string addition result is null
+        * kjs/ustring.cpp:
+        (KJS::UString::UString): Don't call memcpy when malloc failed
+
 2007-01-25  Jan Kraemer  <[email protected]>
 

trunk/JavaScriptCore/kjs/operations.cpp

@@ -225 +225 @@
     JSValue *p2 = v2->toPrimitive(exec, preferred);
     
-    if ((p1->isString() || p2->isString()) && oper == '+')
-        return jsString(p1->toString(exec) + p2->toString(exec));
+    if ((p1->isString() || p2->isString()) && oper == '+') {
+        UString value = p1->toString(exec) + p2->toString(exec);
+        if (value.isNull()) {
+            JSObject *error = Error::create(exec, GeneralError, "Out of memory");
+            exec->setException(error);
+            return error;
+        } else
+            return jsString(value);
+    }
     
     if (oper == '+')

trunk/JavaScriptCore/kjs/ustring.cpp

@@ -434 +434 @@
     UString x(a);
     x.expandCapacity(aOffset + length);
-    memcpy(const_cast<UChar *>(a.data() + aSize), b.data(), bSize * sizeof(UChar));
-    m_rep = Rep::create(a.m_rep, 0, length);
+    if (a.data()) {
+        memcpy(const_cast<UChar *>(a.data() + aSize), b.data(), bSize * sizeof(UChar));
+        m_rep = Rep::create(a.m_rep, 0, length);
+    } else
+        m_rep = &Rep::null;
   } else if (-bOffset == b.usedPreCapacity() && 4 * bSize >= aSize) {
     // - b reaches the beginning of its buffer so it qualifies for shared prepend
@@ -442 +445 @@
     UString y(b);
     y.expandPreCapacity(-bOffset + aSize);
-    memcpy(const_cast<UChar *>(b.data() - aSize), a.data(), aSize * sizeof(UChar));
-    m_rep = Rep::create(b.m_rep, -aSize, length);
+    if (b.data()) {
+        memcpy(const_cast<UChar *>(b.data() - aSize), a.data(), aSize * sizeof(UChar));
+        m_rep = Rep::create(b.m_rep, -aSize, length);
+    } else
+        m_rep = &Rep::null;
   } else {
     // a does not qualify for append, and b does not qualify for prepend, gotta make a whole new string
     int newCapacity = expandedSize(length, 0);
     UChar *d = static_cast<UChar *>(fastMalloc(sizeof(UChar) * newCapacity));
-    memcpy(d, a.data(), aSize * sizeof(UChar));
-    memcpy(d + aSize, b.data(), bSize * sizeof(UChar));
-    m_rep = Rep::create(d, length);
-    m_rep->capacity = newCapacity;
+    if (d) {
+        memcpy(d, a.data(), aSize * sizeof(UChar));
+        memcpy(d + aSize, b.data(), bSize * sizeof(UChar));
+        m_rep = Rep::create(d, length);
+        m_rep->capacity = newCapacity;
+    } else
+        m_rep = &Rep::null;
   }
 }