Ignore:
Timestamp:
May 1, 2018, 9:01:25 AM (7 years ago)
Author:
[email protected]
Message:

Correctly detect string overflow when using the 'Function' constructor
https://bugs.webkit.org/show_bug.cgi?id=184883
<rdar://problem/36320331>

Reviewed by Filip Pizlo.

JSTests:

I put this regression test in the 'slowMicrobenchmarks' directory because it takes nearly 30s to run, and I am not sure where else to put it.

  • slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.

(catch):

Source/JavaScriptCore:

The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.

I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.

  • runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

  • runtime/JSONObject.cpp:

(JSC::Stringifier::appendStringifiedValue):

Source/WTF:

I added new tryAppend methods alongside the old append methods in StringBuilder, that return a boolean (true means success, false means an overflow happened).
I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.

  • wtf/text/StringBuilder.cpp:

(WTF::StringBuilder::allocateBufferUpConvert):
(WTF::StringBuilder::tryAllocateBufferUpConvert):
(WTF::StringBuilder::appendUninitialized):
(WTF::StringBuilder::append):
(WTF::StringBuilder::tryAppend):

  • wtf/text/StringBuilder.h:

(WTF::StringBuilder::tryAppend):
(WTF::StringBuilder::append):
(WTF::StringBuilder::tryAppendLiteral):

  • wtf/text/StringBuilderJSON.cpp:

(WTF::StringBuilder::appendQuotedJSONString):
(WTF::StringBuilder::tryAppendQuotedJSONString):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

    r230026 r231197  
    358358        const String& string = asString(value)->value(m_exec);
    359359        RETURN_IF_EXCEPTION(scope, StringifyFailed);
    360         if (builder.appendQuotedJSONString(string))
     360        if (builder.tryAppendQuotedJSONString(string))
    361361            return StringifySucceeded;
    362362        throwOutOfMemoryError(m_exec, scope);
Note: See TracChangeset for help on using the changeset viewer.