WebKit Bugzilla
Attachment 369507 Details for
Bug 197749
: parseStatementListItem needs a stack overflow check
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-197749-20190509120307.patch (text/plain), 2.85 KB, created by
Keith Miller
on 2019-05-09 12:03:09 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-05-09 12:03:09 PDT
Size:
2.85 KB
patch
obsolete
>Subversion Revision: 245145 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 211b315794a70cdeaebfd5b0e10c84d0867fb014..a7bda4f7a2ddf22910c1f17c149146e46bc3629a 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,18 @@ >+2019-05-09 Keith Miller <keith_miller@apple.com> >+ >+ parseStatementListItem needs a stack overflow check >+ https://bugs.webkit.org/show_bug.cgi?id=197749 >+ <rdar://problem/50302697> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ There currently exists a path in the parser where you can loop >+ arbibrarily many times without a stack overflow check. This patch >+ adds a check to parseStatementListItem to break that cycle. >+ >+ * parser/Parser.cpp: >+ (JSC::Parser<LexerType>::parseStatementListItem): >+ > 2019-05-09 Keith Miller <keith_miller@apple.com> > > REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory >diff --git a/Source/JavaScriptCore/parser/Parser.cpp b/Source/JavaScriptCore/parser/Parser.cpp >index dce455159fd9f2637ac015773586abceaa5fca8b..a3b851c57a9d7533fc9651ba87521d6bf7855d7f 100644 >--- a/Source/JavaScriptCore/parser/Parser.cpp >+++ b/Source/JavaScriptCore/parser/Parser.cpp >@@ -652,6 +652,7 @@ template <class TreeBuilder> TreeStatement Parser<LexerType>::parseStatementList > // http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements > DepthManager statementDepth(&m_statementDepth); > m_statementDepth++; >+ failIfStackOverflow(); > TreeStatement result = 0; > bool shouldSetEndOffset = true; > bool shouldSetPauseLocation = false; >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 50c268a423d90a7461ffe98dbf0c7e7930d43194..ef6fba76dbfdf6544b656a8b8d9baee30e8482b0 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,12 @@ >+2019-05-09 Keith Miller <keith_miller@apple.com> >+ >+ parseStatementListItem needs a stack overflow check >+ https://bugs.webkit.org/show_bug.cgi?id=197749 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/many-nested-functions-parser-stack-overflow.js: Added. >+ > 2019-05-08 Saam barati <sbarati@apple.com> > > AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register >diff --git a/JSTests/stress/many-nested-functions-parser-stack-overflow.js b/JSTests/stress/many-nested-functions-parser-stack-overflow.js >new file mode 100644 >index 0000000000000000000000000000000000000000..ab3c7d961a145a81e37cad6dd8360143c891087d >--- /dev/null >+++ b/JSTests/stress/many-nested-functions-parser-stack-overflow.js >@@ -0,0 +1,13 @@ >+var code = "function f1() {\n".repeat(80000); >+ >+code += code; >+ >+code += ", x" + -2147483648 + " = " + 1; >+ >+code += ";\n"; >+ >+code += " return 80000;\n"; >+ >+code += "}\n"; >+ >+eval(code); >\ No newline at end of file
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369507">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197749
:
369506
| 369507