diff options
| author | aliceli1 <aliceli1@bbb929c8-8fbe-4397-9dbb-9b2b20218538> | 2007-01-27 02:31:28 +0000 |
|---|---|---|
| committer | aliceli1 <aliceli1@bbb929c8-8fbe-4397-9dbb-9b2b20218538> | 2007-01-27 02:31:28 +0000 |
| commit | ca474a19d5f48155d2cefa30a32ea8349dab20d3 (patch) | |
| tree | e3e8e3bffd276549ddb870ded0054cd582f35aec | |
| parent | 1e020c40b7e42b82dbf5f8ecab7d2f02d5cb516e (diff) | |
| download | chromium_src-ca474a19d5f48155d2cefa30a32ea8349dab20d3.zip chromium_src-ca474a19d5f48155d2cefa30a32ea8349dab20d3.tar.gz chromium_src-ca474a19d5f48155d2cefa30a32ea8349dab20d3.tar.bz2 | |
JavaScriptCore:
Reviewed by Maciej.
Fix for Repeated string concatenation results in OOM crash
http://bugs.webkit.org/show_bug.cgi?id=11131
* kjs/operations.cpp:
(KJS::add): Throw exception if string addition result is null
* kjs/ustring.cpp:
(KJS::UString::UString): Don't call memcpy when malloc failed
LayoutTests:
Reviewed by Maciej.
Test for "Repeated string concatenation results in OOM crash"
http://bugs.webkit.org/show_bug.cgi?id=11131
* fast/js/resources/string-concatenate-outofmemory.js: Added.
* fast/js/string-concatenate-outofmemory-expected.txt: Added.
* fast/js/string-concatenate-outofmemory.html: Added.
git-svn-id: svn://svn.chromium.org/blink/trunk@19178 bbb929c8-8fbe-4397-9dbb-9b2b20218538
7 files changed, 79 insertions, 10 deletions
diff --git a/third_party/WebKit/JavaScriptCore/ChangeLog b/third_party/WebKit/JavaScriptCore/ChangeLog index 91f23fa..f3eb8c6 100644 --- a/third_party/WebKit/JavaScriptCore/ChangeLog +++ b/third_party/WebKit/JavaScriptCore/ChangeLog @@ -1,3 +1,15 @@ +2007-01-27 Andrew Wellington <proton@wiretapped.net> + + Reviewed by Maciej. + + Fix for Repeated string concatenation results in OOM crash + http://bugs.webkit.org/show_bug.cgi?id=11131 + + * kjs/operations.cpp: + (KJS::add): Throw exception if string addition result is null + * kjs/ustring.cpp: + (KJS::UString::UString): Don't call memcpy when malloc failed + 2007-01-25 Jan Kraemer <camel@gmx.de> Reviewed by Maciej diff --git a/third_party/WebKit/JavaScriptCore/kjs/operations.cpp b/third_party/WebKit/JavaScriptCore/kjs/operations.cpp index 071a1d1..dd8a58d 100644 --- a/third_party/WebKit/JavaScriptCore/kjs/operations.cpp +++ b/third_party/WebKit/JavaScriptCore/kjs/operations.cpp @@ -224,8 +224,15 @@ JSValue *add(ExecState *exec, JSValue *v1, JSValue *v2, char oper) JSValue *p1 = v1->toPrimitive(exec, preferred); JSValue *p2 = v2->toPrimitive(exec, preferred); - if ((p1->isString() || p2->isString()) && oper == '+') - return jsString(p1->toString(exec) + p2->toString(exec)); + if ((p1->isString() || p2->isString()) && oper == '+') { + UString value = p1->toString(exec) + p2->toString(exec); + if (value.isNull()) { + JSObject *error = Error::create(exec, GeneralError, "Out of memory"); + exec->setException(error); + return error; + } else + return jsString(value); + } if (oper == '+') return jsNumber(p1->toNumber(exec) + p2->toNumber(exec)); diff --git a/third_party/WebKit/JavaScriptCore/kjs/ustring.cpp b/third_party/WebKit/JavaScriptCore/kjs/ustring.cpp index 522bf96..3a63235 100644 --- a/third_party/WebKit/JavaScriptCore/kjs/ustring.cpp +++ b/third_party/WebKit/JavaScriptCore/kjs/ustring.cpp @@ -433,24 +433,33 @@ UString::UString(const UString &a, const UString &b) // - however, if b qualifies for prepend and is longer than a, we'd rather prepend UString x(a); x.expandCapacity(aOffset + length); - memcpy(const_cast<UChar *>(a.data() + aSize), b.data(), bSize * sizeof(UChar)); - m_rep = Rep::create(a.m_rep, 0, length); + if (a.data()) { + memcpy(const_cast<UChar *>(a.data() + aSize), b.data(), bSize * sizeof(UChar)); + m_rep = Rep::create(a.m_rep, 0, length); + } else + m_rep = &Rep::null; } else if (-bOffset == b.usedPreCapacity() && 4 * bSize >= aSize) { // - b reaches the beginning of its buffer so it qualifies for shared prepend // - also, it's at least a quarter the length of a - prepending to a much shorter // string does more harm than good UString y(b); y.expandPreCapacity(-bOffset + aSize); - memcpy(const_cast<UChar *>(b.data() - aSize), a.data(), aSize * sizeof(UChar)); - m_rep = Rep::create(b.m_rep, -aSize, length); + if (b.data()) { + memcpy(const_cast<UChar *>(b.data() - aSize), a.data(), aSize * sizeof(UChar)); + m_rep = Rep::create(b.m_rep, -aSize, length); + } else + m_rep = &Rep::null; } else { // a does not qualify for append, and b does not qualify for prepend, gotta make a whole new string int newCapacity = expandedSize(length, 0); UChar *d = static_cast<UChar *>(fastMalloc(sizeof(UChar) * newCapacity)); - memcpy(d, a.data(), aSize * sizeof(UChar)); - memcpy(d + aSize, b.data(), bSize * sizeof(UChar)); - m_rep = Rep::create(d, length); - m_rep->capacity = newCapacity; + if (d) { + memcpy(d, a.data(), aSize * sizeof(UChar)); + memcpy(d + aSize, b.data(), bSize * sizeof(UChar)); + m_rep = Rep::create(d, length); + m_rep->capacity = newCapacity; + } else + m_rep = &Rep::null; } } diff --git a/third_party/WebKit/LayoutTests/ChangeLog b/third_party/WebKit/LayoutTests/ChangeLog index c8fe5b2..acf0e75 100644 --- a/third_party/WebKit/LayoutTests/ChangeLog +++ b/third_party/WebKit/LayoutTests/ChangeLog @@ -1,3 +1,14 @@ +2007-01-27 Andrew Wellington <proton@wiretapped.net> + + Reviewed by Maciej. + + Test for "Repeated string concatenation results in OOM crash" + http://bugs.webkit.org/show_bug.cgi?id=11131 + + * fast/js/resources/string-concatenate-outofmemory.js: Added. + * fast/js/string-concatenate-outofmemory-expected.txt: Added. + * fast/js/string-concatenate-outofmemory.html: Added. + 2007-01-26 Darin Adler <darin@apple.com> Reviewed by Beth. diff --git a/third_party/WebKit/LayoutTests/fast/js/resources/string-concatenate-outofmemory.js b/third_party/WebKit/LayoutTests/fast/js/resources/string-concatenate-outofmemory.js new file mode 100644 index 0000000..a3b4e7e --- /dev/null +++ b/third_party/WebKit/LayoutTests/fast/js/resources/string-concatenate-outofmemory.js @@ -0,0 +1,7 @@ +description( +'This test checks if repeated string concatenation causes an exception (and not a crash). From WebKit Bug <a href="http://bugs.webkit.org/show_bug.cgi?id=11131">Repeated string concatenation results in OOM crash</a>.' +); + +shouldThrow('s = "a"; while (1) { s += s; }', '"Error: Out of memory"'); + +var successfullyParsed = true; diff --git a/third_party/WebKit/LayoutTests/fast/js/string-concatenate-outofmemory-expected.txt b/third_party/WebKit/LayoutTests/fast/js/string-concatenate-outofmemory-expected.txt new file mode 100644 index 0000000..595555b --- /dev/null +++ b/third_party/WebKit/LayoutTests/fast/js/string-concatenate-outofmemory-expected.txt @@ -0,0 +1,10 @@ +This test checks if repeated string concatenation causes an exception (and not a crash). From WebKit Bug Repeated string concatenation results in OOM crash. + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS s = "a"; while (1) { s += s; } threw exception Error: Out of memory. +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/third_party/WebKit/LayoutTests/fast/js/string-concatenate-outofmemory.html b/third_party/WebKit/LayoutTests/fast/js/string-concatenate-outofmemory.html new file mode 100644 index 0000000..df3dc0c --- /dev/null +++ b/third_party/WebKit/LayoutTests/fast/js/string-concatenate-outofmemory.html @@ -0,0 +1,13 @@ +<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> +<html> +<head> +<link rel="stylesheet" href="resources/js-test-style.css"> +<script src="resources/js-test-pre.js"></script> +</head> +<body> +<p id="description"></p> +<div id="console"></div> +<script src="resources/string-concatenate-outofmemory.js"></script> +<script src="resources/js-test-post.js"></script> +</body> +</html> |