2011-06-08 Mikołaj Małecki <m.malecki@samsung.com>
authorloislo@chromium.org <loislo@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Jun 2011 12:42:40 +0000 (12:42 +0000)
committerloislo@chromium.org <loislo@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Jun 2011 12:42:40 +0000 (12:42 +0000)
        Reviewed by Pavel Feldman.

        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
        https://bugs.webkit.org/show_bug.cgi?id=52791

        No new tests. The problem can be reproduced by trying to create InspectorValue
        from 1.0e-100 and call ->toJSONString() on this.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        export 2 functions DecimalNumber::bufferLengthForStringExponential and
        DecimalNumber::toStringExponential.

2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>

        Reviewed by Pavel Feldman.

        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
        https://bugs.webkit.org/show_bug.cgi?id=52791

        No new tests. The problem can be reproduced by trying to create InspectorValue
        from 1.0e-100 and call ->toJSONString() on this.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        export 2 functions DecimalNumber::bufferLengthForStringExponential and
        DecimalNumber::toStringExponential.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@88444 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.exp
Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def
Source/WebCore/ChangeLog
Source/WebCore/inspector/InspectorValues.cpp

index 53e51765f763e0ae11c659a9686568be7de979b6..920ad2142583fa922aa2cb31c277c1b02c21a92c 100644 (file)
@@ -1,3 +1,18 @@
+2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>
+
+        Reviewed by Pavel Feldman.
+
+        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+        https://bugs.webkit.org/show_bug.cgi?id=52791
+
+        No new tests. The problem can be reproduced by trying to create InspectorValue
+        from 1.0e-100 and call ->toJSONString() on this.
+
+        * JavaScriptCore.exp:
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+        export 2 functions DecimalNumber::bufferLengthForStringExponential and
+        DecimalNumber::toStringExponential.
+
 2011-06-08  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r88404.
index 284a14b033e782eca9a1e9c61076d599fd74cdc7..ff1f3e03ad7e4b74ee1902f878cdb7389a3ff435 100644 (file)
@@ -572,7 +572,9 @@ __ZNK3JSC9HashTable11createTableEPNS_12JSGlobalDataE
 __ZNK3JSC9HashTable11deleteTableEv
 __ZNK3WTF12AtomicString5lowerEv
 __ZNK3WTF13DecimalNumber15toStringDecimalEPtj
+__ZNK3WTF13DecimalNumber19toStringExponentialEPtj
 __ZNK3WTF13DecimalNumber28bufferLengthForStringDecimalEv
+__ZNK3WTF13DecimalNumber32bufferLengthForStringExponentialEv
 __ZNK3WTF6String11toIntStrictEPbi
 __ZNK3WTF6String12toUIntStrictEPbi
 __ZNK3WTF6String13toInt64StrictEPbi
index 95e48bf6ad84a30b18b284619ae9a943b6642888..6e2dd3c2cad27c7bc291ff5c7dbf05c26d70a7b9 100644 (file)
@@ -65,6 +65,7 @@ EXPORTS
     ?attach@Debugger@JSC@@QAEXPAVJSGlobalObject@2@@Z
     ?broadcast@ThreadCondition@WTF@@QAEXXZ
     ?bufferLengthForStringDecimal@DecimalNumber@WTF@@QBEIXZ
+    ?bufferLengthForStringExponential@DecimalNumber@WTF@@QBEIXZ
     ?byteCompile@Yarr@JSC@@YA?AV?$PassOwnPtr@UBytecodePattern@Yarr@JSC@@@WTF@@AAUYarrPattern@12@PAVBumpPointerAllocator@4@@Z
     ?byteSize@SourceProviderCache@JSC@@QBEIXZ
     ?calculateDSTOffset@WTF@@YANNN@Z
@@ -349,6 +350,7 @@ EXPORTS
     ?toString@JSObject@JSC@@UBE?AVUString@2@PAVExecState@2@@Z
     ?toString@JSString@JSC@@EBE?AVUString@2@PAVExecState@2@@Z
     ?toStringDecimal@DecimalNumber@WTF@@QBEIPA_WI@Z
+    ?toStringExponential@DecimalNumber@WTF@@QBEIPA_WI@Z
     ?toThisObject@JSCell@JSC@@UBEPAVJSObject@2@PAVExecState@2@@Z
     ?toThisObject@JSObject@JSC@@UBEPAV12@PAVExecState@2@@Z
     ?toThisObject@JSString@JSC@@EBEPAVJSObject@2@PAVExecState@2@@Z
index 78ed8430f0bf1a88e39d6a1b394d62a56394e85b..0eff9ae6eca437aa039fa37db6ab931714019217 100644 (file)
@@ -1,3 +1,18 @@
+2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>
+
+        Reviewed by Pavel Feldman.
+
+        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
+        https://bugs.webkit.org/show_bug.cgi?id=52791
+
+        No new tests. The problem can be reproduced by trying to create InspectorValue
+        from 1.0e-100 and call ->toJSONString() on this.
+
+        * inspector/InspectorValues.cpp:
+        (WebCore::InspectorBasicValue::writeJSON):
+        Added checking the predicted buffer size and choosing exponential format, or
+        eventually "NaN" if the buffer is too small for decimal format.
+
 2011-06-09  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r88387.
index 09d1258bf9ecd43bd317850e62fc7ed056b5ddff..c80de510d039117c8e4a1071ef9cc23a65f8e0d3 100644 (file)
@@ -620,7 +620,18 @@ void InspectorBasicValue::writeJSON(Vector<UChar>* output) const
             output->append(falseString, 5);
     } else if (type() == TypeNumber) {
         NumberToStringBuffer buffer;
-        unsigned length = DecimalNumber(m_doubleValue).toStringDecimal(buffer, WTF::NumberToStringBufferLength);
+        DecimalNumber decimal = m_doubleValue;
+        unsigned length = 0;
+        if (decimal.bufferLengthForStringDecimal() > WTF::NumberToStringBufferLength) {
+            // Not enough room for decimal. Use exponential format.
+            if (decimal.bufferLengthForStringExponential() > WTF::NumberToStringBufferLength) {
+                // Fallback for an abnormal case if it's too little even for exponential.
+                output->append("NaN", 3);
+                return;
+            }
+            length = decimal.toStringExponential(buffer, WTF::NumberToStringBufferLength);
+        } else
+            length = decimal.toStringDecimal(buffer, WTF::NumberToStringBufferLength);
         output->append(buffer, length);
     }
 }