Context Navigation

JSString.h

Timestamp:

Oct 26, 2017, 3:36:04 PM (8 years ago)

Author:

Message:

JSRopeString::RopeBuilder::append() should check for overflows.
https://bugs.webkit.org/show_bug.cgi?id=178385
<rdar://problem/35027468>

Reviewed by Saam Barati.

JSTests:

Source/JavaScriptCore:

(JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
(JSC::JSRopeString::RopeBuilder::expand): Deleted.

(JSC::objectProtoFuncToString):

(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):

Source/WTF:

File:

-              r222473
+              r224055
 #include "ThrowScope.h"
 #include <array>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/text/StringView.h>
 …
 public:
+    class RopeBuilder {
+    template <class OverflowHandler = CrashOnOverflow>
+    class RopeBuilder : public OverflowHandler {
     public:
         RopeBuilder(VM& vm)
 …
         bool append(JSString* jsString)
+        {
+            if (UNLIKELY(this->hasOverflowed()))
+                return false;
             if (m_index == JSRopeString::s_maxInternalRopeLength)
                 expand();
             if (static_cast<int32_t>(m_jsString->length() + jsString->length()) < 0) {
                 m_jsString = nullptr;
+                this->overflowed();
                 return false;
+            }
 …
         JSRopeString* release()
+        {
             RELEASE_ASSERT(m_jsString);
+            RELEASE_ASSERT(!this->hasOverflowed());
             JSRopeString* tmp = m_jsString;
             m_jsString = 0;
+            m_jsString = nullptr;
             return tmp;
+        }
+        unsigned length() const { return m_jsString->length(); }
+        unsigned length() const
+        {
+            ASSERT(!this->hasOverflowed());
+            return m_jsString->length();
+        }
     private:

Note: See TracChangeset for help on using the changeset viewer.