Bug 213006

Summary: Stringifier::appendStringifiedValue() should not assume it is always safe to recurse.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=143511
Attachments:
Description Flags
proposed patch. keith_miller: review+

Mark Lam
Reported 2020-06-09 18:46:27 PDT
In r262727, I suggested that Alexey Shvayka add an assertion in Stringifier::appendStringifiedValue() that it is safe to recurse because we don't expect it to recurse into itself. Turns out this is a bad idea because a client may be doing the recursing, and Stringifier::appendStringifiedValue() ends up being executed with stack that is already in the reserved zone. This is legal, and is what the reserved zone is intended for as long as we don't recurse from here. However, this also means that the assertion vm.isSafeToRecurseSoft() will be fail because we're may already be in the reserved zone area. The fix is simply to remove this faulty assertion.
Attachments
proposed patch. (3.77 KB, patch)
2020-06-09 18:57 PDT, Mark Lam 		keith_miller: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2020-06-09 18:46:54 PDT
<rdar://problem/64154840>
Mark Lam
Comment 2 2020-06-09 18:57:38 PDT
Created attachment 401503 [details] proposed patch.
Keith Miller
Comment 3 2020-06-09 19:00:16 PDT
Comment on attachment 401503 [details] proposed patch. r=me
Mark Lam
Comment 4 2020-06-09 19:05:43 PDT
Thanks for the review. Landed in r262830: <http://trac.webkit.org/r262830>.
Note You need to log in before you can comment on or make changes to this bug.