302183 – [JSC] describe function attempts to create a WTF::String larger than WTF::String::MaxLength

RESOLVED FIXED302183

[JSC] describe function attempts to create a WTF::String larger than WTF::String::MaxLength

https://bugs.webkit.org/show_bug.cgi?id=302183

Summary [JSC] describe function attempts to create a WTF::String larger than WTF::Str...

Anthony Tarbinian

Reported 2025-11-07 15:08:30 PST

rdar://160097620 The `describe` JS function returns a String that contains additional metadata to "describe" the original entity passed in. For example, `describe(“hello”)` results in a string that looks like `String (atomic),8Bit:(1),length:(5): hello, StructureID: 16777808`. Under the hood, `describe` constructs a new string with additional metadata and converts it to a `WTF::String`. The problem is that while the original string passed into `describe` is under the `WTF::String` limit (`WTF::String::MaxLength`), it's possible for the extra metadata to push the length of the resulting string over the limit. Then, when `describe` goes to convert the result into a `WTF::String` JSC can crash from a `RELEASE_ASSERT` enforcing the size of the resulting string.

Attachments
Add attachment proposed patch, testcase, etc.

Anthony Tarbinian

Comment 1 2025-11-07 16:36:25 PST

Pull request: https://github.com/WebKit/WebKit/pull/53614

EWS

Comment 2 2025-11-10 09:06:23 PST

Committed 302798@main (11dd0ceefa42): <https://commits.webkit.org/302798@main> Reviewed commits have been landed. Closing PR #53614 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P3

Severity Minor

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2025-11-07 15:08 PST

Modified

2025-11-10 09:06 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks