Bug 196746

Summary: We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
Product: WebKit Reporter: Robin Morisset <rmorisset>
Component: JavaScriptCoreAssignee: Robin Morisset <rmorisset>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ews-watchlist, keith_miller, mark.lam, msaboff, saam, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
ysuzuki: review+
Patch for landing none

Robin Morisset
Reported 2019-04-09 15:02:04 PDT
Currently we correctly do so when toPropertyDescriptor fails, but not when properties->get(exec, propertyNames[i]); does. This can turn an OOM into a crash, because of the check in ~MarkedArgumentBuffer. The fix is a trivial call to markBuffer.overflowCheckNotNeeded() on that path.
Attachments
Patch (3.77 KB, patch)
2019-04-09 15:29 PDT, Robin Morisset 		ysuzuki: review+
DetailsFormatted DiffDiff
Patch for landing (3.76 KB, patch)
2019-04-10 10:47 PDT, Robin Morisset 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Robin Morisset
Comment 1 2019-04-09 15:02:21 PDT
rdar://problem/49555709
Robin Morisset
Comment 2 2019-04-09 15:29:54 PDT
Created attachment 367074 [details] Patch
EWS Watchlist
Comment 3 2019-04-09 15:31:32 PDT
Attachment 367074 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:8: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: buffer overflow [changelog/unwantedsecurityterms] [3] ERROR: Source/JavaScriptCore/runtime/ObjectConstructor.cpp:614: Missing space before ( in while( [whitespace/parens] [5] Total errors found: 2 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Yusuke Suzuki
Comment 4 2019-04-09 18:18:40 PDT
Comment on attachment 367074 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=367074&action=review r=me with nit. > Source/JavaScriptCore/runtime/ObjectConstructor.cpp:620 > + RETURN_IF_EXCEPTION_CLEARING_OVERFLOW(jsNull()); We can use `{ }` instead of `jsNull()`.
Robin Morisset
Comment 5 2019-04-10 10:47:16 PDT
Created attachment 367138 [details] Patch for landing
WebKit Commit Bot
Comment 6 2019-04-10 11:05:06 PDT
Comment on attachment 367138 [details] Patch for landing Clearing flags on attachment: 367138 Committed r244136: <https://trac.webkit.org/changeset/244136>
WebKit Commit Bot
Comment 7 2019-04-10 11:05:07 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.