Bug 154340 - StringPrototype functions should check for exceptions after calling JSString::value().
Summary: StringPrototype functions should check for exceptions after calling JSString:...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
Keywords: InRadar
Depends on:
Reported: 2016-02-17 10:15 PST by Mark Lam
Modified: 2016-02-17 14:04 PST (History)
8 users (show)

See Also:

proposed patch. (13.18 KB, patch)
2016-02-17 11:30 PST, Mark Lam
fpizlo: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2016-02-17 10:15:30 PST
JSString::value() can throw an exception if the JS string is a rope and value() needs to resolve the rope but encounters an OutOfMemory error.  If value() is not able to resolve the rope, it will return a null string (in addition to throwing the exception).  If StringPrototype functions do not check for exceptions after calling JSString::value(), they may eventually use the returned null string and crash the VM.

The fix is to add all the necessary exception checks, and do the appropriate handling if needed.
Comment 1 Mark Lam 2016-02-17 10:16:39 PST
Comment 2 Mark Lam 2016-02-17 11:30:32 PST
Created attachment 271568 [details]
proposed patch.
Comment 3 Mark Lam 2016-02-17 14:04:51 PST
Thanks for the review.  Landed in r196721: <http://trac.webkit.org/r196721>.