JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2016 22:19:37 +0000 (22:19 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Oct 2016 22:19:37 +0000 (22:19 +0000)
commitef42ee5e3a45194118939f7d2ded585260471cfb
treec27cf196c0e510dc171438bfc7e79c7ba862d880
parentbde5a8f5a18a487bc40d864b7c4ce6cedaa2125f
JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX.
https://bugs.webkit.org/show_bug.cgi?id=163937
<rdar://problem/28642990>

Reviewed by Geoffrey Garen.

JSTests:

* stress/joined-strings-should-not-exceed-max-string-length.js: Added.

Source/JavaScriptCore:

JSStringJoiner::joinedLength() was previously limiting it to UINT_MAX.  This is
inconsistent with other parts of string code which expects a max length of INT_MAX.
This is now fixed.

Also fixed jsMakeNontrivialString() to ensure that the resultant string length
is valid.  It was previously allowing lengths greater than INT_MAX.  This was
caught by the new assertion in JSString::setLength().

There are already pre-existing assertions in various JSString::finishCreation()
which do RELEASE_ASSERTs on the string length.  To be consistent, I'm making the
assertion in JSString::setLength() a RELEASE_ASSERT.  If this proves to be a
performance issue, I'll change this to a debug ASSERT later.

* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeInternal8):
(JSC::JSRopeString::resolveRopeInternal8NoSubstring):
(JSC::JSRopeString::resolveRopeInternal16):
(JSC::JSRopeString::resolveRopeInternal16NoSubstring):
(JSC::JSRopeString::resolveRopeToAtomicString):
(JSC::JSRopeString::resolveRopeToExistingAtomicString):
(JSC::JSRopeString::resolveRope):
(JSC::JSRopeString::resolveRopeSlowCase8):
(JSC::JSRopeString::resolveRopeSlowCase):
(JSC::JSString::getStringPropertyDescriptor):
* runtime/JSString.h:
(JSC::JSString::finishCreation):
(JSC::JSString::length):
(JSC::JSString::isValidLength):
(JSC::JSString::toBoolean):
(JSC::JSString::canGetIndex):
(JSC::JSString::setLength):
(JSC::JSString::getStringPropertySlot):
(JSC::JSRopeString::unsafeView):
(JSC::JSRopeString::viewWithUnderlyingString):
* runtime/JSStringBuilder.h:
(JSC::jsMakeNontrivialString):
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::joinedLength):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@207849 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/joined-strings-should-not-exceed-max-string-length.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSString.cpp
Source/JavaScriptCore/runtime/JSString.h
Source/JavaScriptCore/runtime/JSStringBuilder.h
Source/JavaScriptCore/runtime/JSStringJoiner.cpp