Handle more JSON stringify OOM
authorjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Apr 2018 23:18:23 +0000 (23:18 +0000)
committerjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Apr 2018 23:18:23 +0000 (23:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184846
<rdar://problem/39390672>

Reviewed by Mark Lam.

JSTests:

* stress/json-stringified-overflow-2.js: Added. Same as the one
below, but with a bigger input which will trigger a different code
path.
(catch):
* stress/json-stringified-overflow.js: Modify the test to only
catch OOM on stringification. not on string creation.

Source/WTF:

JSON stringification can OOM easily. Here's another case.

* wtf/text/StringBuilderJSON.cpp:
(WTF::StringBuilder::appendQuotedJSONString):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230863 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/json-stringified-overflow-2.js [new file with mode: 0644]
JSTests/stress/json-stringified-overflow.js
Source/WTF/ChangeLog
Source/WTF/wtf/text/StringBuilderJSON.cpp

index 83147aa..7bb1e06 100644 (file)
@@ -1,3 +1,18 @@
+2018-04-20  JF Bastien  <jfbastien@apple.com>
+
+        Handle more JSON stringify OOM
+        https://bugs.webkit.org/show_bug.cgi?id=184846
+        <rdar://problem/39390672>
+
+        Reviewed by Mark Lam.
+
+        * stress/json-stringified-overflow-2.js: Added. Same as the one
+        below, but with a bigger input which will trigger a different code
+        path.
+        (catch):
+        * stress/json-stringified-overflow.js: Modify the test to only
+        catch OOM on stringification. not on string creation.
+
 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [WebAssembly][Modules] Import tables in wasm modules
 2018-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [WebAssembly][Modules] Import tables in wasm modules
diff --git a/JSTests/stress/json-stringified-overflow-2.js b/JSTests/stress/json-stringified-overflow-2.js
new file mode 100644 (file)
index 0000000..506e0c0
--- /dev/null
@@ -0,0 +1,5 @@
+//@ skip if $memoryLimited
+const s = "a".padStart(0x80000000 - 1);
+try {
+    JSON.stringify(s);
+} catch (e) {}
index 1b17a37..a6d17c0 100644 (file)
@@ -1,4 +1,5 @@
 //@ skip if $memoryLimited
 //@ skip if $memoryLimited
+const s = "123".padStart(1073741823);
 try {
 try {
-      JSON.stringify("123".padStart(1073741823))
+    JSON.stringify(s);
 } catch (e) {}
 } catch (e) {}
index e9499d1..15c00e8 100644 (file)
@@ -1,3 +1,16 @@
+2018-04-20  JF Bastien  <jfbastien@apple.com>
+
+        Handle more JSON stringify OOM
+        https://bugs.webkit.org/show_bug.cgi?id=184846
+        <rdar://problem/39390672>
+
+        Reviewed by Mark Lam.
+
+        JSON stringification can OOM easily. Here's another case.
+
+        * wtf/text/StringBuilderJSON.cpp:
+        (WTF::StringBuilder::appendQuotedJSONString):
+
 2018-04-18  Jer Noble  <jer.noble@apple.com>
 
         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
 2018-04-18  Jer Noble  <jer.noble@apple.com>
 
         Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
index a0ebd62..226295e 100644 (file)
@@ -91,6 +91,10 @@ bool StringBuilder::appendQuotedJSONString(const String& string)
     // https://bugs.webkit.org/show_bug.cgi?id=176086
     allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
 
     // https://bugs.webkit.org/show_bug.cgi?id=176086
     allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
 
+    // Allocating this much will definitely fail.
+    if (allocationSize >= 0x80000000)
+        return false;
+
     if (is8Bit() && !string.is8Bit())
         allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
     else
     if (is8Bit() && !string.is8Bit())
         allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
     else