Bug 213006 - Stringifier::appendStringifiedValue() should not assume it is always safe to recurse.
Summary: Stringifier::appendStringifiedValue() should not assume it is always safe to ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-09 18:46 PDT by Mark Lam
Modified: 2020-06-11 03:41 PDT (History)
6 users (show)

See Also:

Attachments
proposed patch. (3.77 KB, patch)
2020-06-09 18:57 PDT, Mark Lam 		keith_miller: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2020-06-09 18:46:27 PDT 
In r262727, I suggested that Alexey Shvayka add an assertion in Stringifier::appendStringifiedValue() that it is safe to recurse because we don't expect it to recurse into itself.  Turns out this is a bad idea because a client may be doing the recursing, and Stringifier::appendStringifiedValue() ends up being executed with stack that is already in the reserved zone.  This is legal, and is what the reserved zone is intended for as long as we don't recurse from here.  However, this also means that the assertion vm.isSafeToRecurseSoft() will be fail because we're may already be in the reserved zone area.  The fix is simply to remove this faulty assertion.
Comment 1 Mark Lam 2020-06-09 18:46:54 PDT 
<rdar://problem/64154840>
Comment 2 Mark Lam 2020-06-09 18:57:38 PDT 
Created attachment 401503 [details]
proposed patch.
Comment 3 Keith Miller 2020-06-09 19:00:16 PDT 
Comment on attachment 401503 [details]
proposed patch.

r=me
Comment 4 Mark Lam 2020-06-09 19:05:43 PDT 
Thanks for the review.  Landed in r262830: <http://trac.webkit.org/r262830>.