Bug 154340

Summary:

StringPrototype functions should check for exceptions after calling JSString::value().

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, fpizlo, ggaren, keith_miller, msaboff, saam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	fpizlo: review+

Mark Lam

Reported 2016-02-17 10:15:30 PST

JSString::value() can throw an exception if the JS string is a rope and value() needs to resolve the rope but encounters an OutOfMemory error. If value() is not able to resolve the rope, it will return a null string (in addition to throwing the exception). If StringPrototype functions do not check for exceptions after calling JSString::value(), they may eventually use the returned null string and crash the VM. The fix is to add all the necessary exception checks, and do the appropriate handling if needed.

Attachments
proposed patch. (13.18 KB, patch) 2016-02-17 11:30 PST, Mark Lam	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2016-02-17 10:16:39 PST

<rdar://problem/24662137>

Mark Lam

Comment 2 2016-02-17 11:30:32 PST

Created attachment 271568 [details] proposed patch.

Mark Lam

Comment 3 2016-02-17 14:04:51 PST

Thanks for the review. Landed in r196721: <http://trac.webkit.org/r196721>.

Note You need to log in before you can comment on or make changes to this bug.