[Webkit-unassigned] [Bug 213006] New: Stringifier::appendStringifiedValue() should not assume it is always safe to recurse.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 9 18:46:27 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=213006

            Bug ID: 213006
           Summary: Stringifier::appendStringifiedValue() should not
                    assume it is always safe to recurse.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

In r262727, I suggested that Alexey Shvayka add an assertion in Stringifier::appendStringifiedValue() that it is safe to recurse because we don't expect it to recurse into itself.  Turns out this is a bad idea because a client may be doing the recursing, and Stringifier::appendStringifiedValue() ends up being executed with stack that is already in the reserved zone.  This is legal, and is what the reserved zone is intended for as long as we don't recurse from here.  However, this also means that the assertion vm.isSafeToRecurseSoft() will be fail because we're may already be in the reserved zone area.  The fix is simply to remove this faulty assertion.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200610/014ec92c/attachment.htm>

More information about the webkit-unassigned mailing list