Merge r223731 - Stringifier::appendStringifiedValue() is missing an e…

…xception check. https://bugs.webkit.org/show_bug.cgi?id=178386 <rdar://problem/35027610> Reviewed by Saam Barati. JSTests: * stress/regress-178386.js: Added. Source/JavaScriptCore: * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue):
WebKit · Dec 19, 2017 · 3c358e1 · 3c358e1
1 parent 8e2d27d
commit 3c358e1
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 1 deletion.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2017-10-19  Mark Lam  <mark.lam@apple.com>
+
+        Stringifier::appendStringifiedValue() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=178386
+        <rdar://problem/35027610>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-178386.js: Added.
+
 2017-10-18  Mark Lam  <mark.lam@apple.com>
 
         The compiler should always register a structure when it adds its transitionWatchPointSet.

diff --git a/JSTests/stress/regress-178386.js b/JSTests/stress/regress-178386.js
@@ -0,0 +1,12 @@
+var str1 = String.fromCharCode(136, 115, 29, 20, 15, 155, 81);
+str3 = str1.padEnd(0x7FFFFFFC, '123');
+
+var exception;
+try {
+    JSON.stringify(str3);
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "Error: Out of memory")
+    throw "FAILED";
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2017-10-19  Mark Lam  <mark.lam@apple.com>
+
+        Stringifier::appendStringifiedValue() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=178386
+        <rdar://problem/35027610>
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+
 2017-10-18  Mark Lam  <mark.lam@apple.com>
 
         The compiler should always register a structure when it adds its transitionWatchPointSet.

diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp
@@ -355,7 +355,9 @@ Stringifier::StringifyResult Stringifier::appendStringifiedValue(StringBuilder&
     }
 
     if (value.isString()) {
-        builder.appendQuotedJSONString(asString(value)->value(m_exec));
+        const String& string = asString(value)->value(m_exec);
+        RETURN_IF_EXCEPTION(scope, StringifyFailed);
+        builder.appendQuotedJSONString(string);
         return StringifySucceeded;
     }