Bug 154340

Summary:

StringPrototype functions should check for exceptions after calling JSString::value().

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, fpizlo, ggaren, keith_miller, msaboff, saam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	fpizlo: review+

Description Mark Lam 2016-02-17 10:15:30 PST

JSString::value() can throw an exception if the JS string is a rope and value() needs to resolve the rope but encounters an OutOfMemory error.  If value() is not able to resolve the rope, it will return a null string (in addition to throwing the exception).  If StringPrototype functions do not check for exceptions after calling JSString::value(), they may eventually use the returned null string and crash the VM.

The fix is to add all the necessary exception checks, and do the appropriate handling if needed.

Comment 1 Mark Lam 2016-02-17 10:16:39 PST

<rdar://problem/24662137>

Comment 2 Mark Lam 2016-02-17 11:30:32 PST

Created attachment 271568 [details]
proposed patch.

Comment 3 Mark Lam 2016-02-17 14:04:51 PST

Thanks for the review.  Landed in r196721: <http://trac.webkit.org/r196721>.