[Webkit-unassigned] [Bug 121027] New: Crash on long string

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 9 03:04:48 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=121027

           Summary: Crash on long string
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: vasiliy.baranov at oracle.com


The following script crashes the latest 32 bit Safari, WinLauncher, and, FWIW, Chrome 30.0.1599.22 beta-m:

    <script language="javascript">
    var s = "0123456789abcdef";
    while (true) {
      alert (s.length)
      s = s + s
    }
    </script>

The problem appears to be in the following code in JSC::stringLengthTrampolineGenerator():

    jit.load32(
        JSInterfaceJIT::Address(JSInterfaceJIT::regT0, JSString::offsetOfLength()),
        JSInterfaceJIT::regT2);

    JSInterfaceJIT::Jump failureCases3 = jit.branch32(
        JSInterfaceJIT::Above, JSInterfaceJIT::regT2, JSInterfaceJIT::TrustedImm32(INT_MAX));
    jit.move(JSInterfaceJIT::regT2, JSInterfaceJIT::regT0);

In case the length of the string is greater than INT_MAX, this code results in a call to cti_op_get_by_id_string_fail with ECX = <the length of the string>, which causes cti_op_get_by_id_string_fail to crash because cti_op_get_by_id_string_fail expects ECX to point to an object.

The following patch fixes the problem for me:

Index: JavaScriptCore/jit/ThunkGenerators.cpp
===================================================================
--- JavaScriptCore/jit/ThunkGenerators.cpp      (revision 150795)
+++ JavaScriptCore/jit/ThunkGenerators.cpp      (working copy)
@@ -198,11 +198,10 @@
     // Checks out okay! - get the length from the Ustring.
     jit.load32(
         JSInterfaceJIT::Address(JSInterfaceJIT::regT0, JSString::offsetOfLength()),
-        JSInterfaceJIT::regT2);
+        JSInterfaceJIT::regT0);

     JSInterfaceJIT::Jump failureCases3 = jit.branch32(
-        JSInterfaceJIT::Above, JSInterfaceJIT::regT2, JSInterfaceJIT::TrustedImm32(INT_MAX));
-    jit.move(JSInterfaceJIT::regT2, JSInterfaceJIT::regT0);
+        JSInterfaceJIT::Above, JSInterfaceJIT::regT0, JSInterfaceJIT::TrustedImm32(INT_MAX));
     jit.move(JSInterfaceJIT::TrustedImm32(JSValue::Int32Tag), JSInterfaceJIT::regT1);
 #endif // USE(JSVALUE64)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list