[webkit-changes] [WebKit/WebKit] 32b972: Segfault in JSC::IdentifierArena::makeBigIntDecima...
EWS
noreply at github.com
Wed Nov 9 14:31:34 PST 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 32b9728139794e15d690f5a3b43dbd9f8162e6ee
https://github.com/WebKit/WebKit/commit/32b9728139794e15d690f5a3b43dbd9f8162e6ee
Author: David Degazio <d_degazio at apple.com>
Date: 2022-11-09 (Wed, 09 Nov 2022)
Changed paths:
A JSTests/stress/bigdecimal-identifiers-fail-on-oom.js
M Source/JavaScriptCore/parser/Parser.cpp
M Source/JavaScriptCore/parser/ParserArena.cpp
M Source/JavaScriptCore/parser/ParserArena.h
Log Message:
-----------
Segfault in JSC::IdentifierArena::makeBigIntDecimalIdentifier
https://bugs.webkit.org/show_bug.cgi?id=247644
rdar://98566429
Reviewed by Mark Lam and Yusuke Suzuki.
We currently get a segfault because the parser for bigdecimal identifiers allocates a JSBigInt, which
might cause us to run out of memory. The parser doesn't throw arbitrary exceptions elsewhere, so instead
of throwing out-of-memory as an exception, it just produces an empty JSBigInt and crashes when using it.
This patch addresses the issue by making the result of makeBigIntDecimalIdentifier nullable, checking for
it in the parser, and failing with a SyntaxError if the identifier could not be created.
* JSTests/stress/bigdecimal-identifiers-fail-on-oom.js: Added.
(foo):
* Source/JavaScriptCore/parser/Lexer.cpp:
* Source/JavaScriptCore/parser/Parser.cpp:
(JSC::Parser<LexerType>::parseDestructuringPattern):
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseClassFieldInitializerSourceElements):
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::parseGetterSetter):
* Source/JavaScriptCore/parser/ParserArena.cpp:
(JSC::IdentifierArena::makeBigIntDecimalIdentifier):
* Source/JavaScriptCore/parser/ParserArena.h:
Canonical link: https://commits.webkit.org/256501@main
More information about the webkit-changes
mailing list