Skip to content

Commit

Permalink
Cherry-pick 259548.689@safari-7615-branch (a75d564). https://bugs.web…
Browse files Browse the repository at this point in the history 
…kit.org/show_bug.cgi?id=255806

    jsc_fuzz: ASSERTION FAILED: !is8Bit() || isEmpty() in stringProtoFuncToWellFormed()
    https://bugs.webkit.org/show_bug.cgi?id=255806
    <rdar://108256807>

    Reviewed by Yusuke Suzuki.

    It's necessary to resolve a rope to determine if a string is 8-bit: JSRopeString's is8BitInPointer merely
    implies it can be represented as 8-bit, but after the rope is resolved, it can become a 16-bit string.

    * JSTests/stress/regress-255806.js: Added.
    * Source/JavaScriptCore/runtime/StringPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):

    Canonical link: https://commits.webkit.org/259548.689@safari-7615-branch
  • Loading branch information
@mcatanzaro
Alexey Shvayka authored and mcatanzaro committed Jul 28, 2023
1 parent ae98f7b commit a061038
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
4 changes: 4 additions & 0 deletions JSTests/stress/regress-255806.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
let s0 = '000'.toLocaleUpperCase();
let s1 = s0.slice(1);
s1[s0] = undefined;
s1.toWellFormed();
3 changes: 3 additions & 0 deletions Source/JavaScriptCore/runtime/StringPrototype.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1844,6 +1844,9 @@ JSC_DEFINE_HOST_FUNCTION(stringProtoFuncToWellFormed, (JSGlobalObject* globalObj
String string = stringValue->value(globalObject);
RETURN_IF_EXCEPTION(scope, { });

if (string.is8Bit())
return JSValue::encode(stringValue);

const UChar* characters = string.characters16();
unsigned length = string.length();
auto firstIllFormedIndex = illFormedIndex(characters, length);
Expand Down

0 comments on commit a061038

Please sign in to comment.