Bug 154340

Summary: StringPrototype functions should check for exceptions after calling JSString::value().
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Severity: Normal CC: benjamin, fpizlo, ggaren, keith_miller, msaboff, sbarati, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
proposed patch. fpizlo: review+

Description Mark Lam 2016-02-17 10:15:30 PST
JSString::value() can throw an exception if the JS string is a rope and value() needs to resolve the rope but encounters an OutOfMemory error.  If value() is not able to resolve the rope, it will return a null string (in addition to throwing the exception).  If StringPrototype functions do not check for exceptions after calling JSString::value(), they may eventually use the returned null string and crash the VM.

The fix is to add all the necessary exception checks, and do the appropriate handling if needed.
Comment 1 Mark Lam 2016-02-17 10:16:39 PST
Comment 2 Mark Lam 2016-02-17 11:30:32 PST
Created attachment 271568 [details]
proposed patch.
Comment 3 Mark Lam 2016-02-17 14:04:51 PST
Thanks for the review.  Landed in r196721: <http://trac.webkit.org/r196721>.