Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a bug in transient object property assignment and getUTF16Ref
Summary:
The returned `UTF16Ref` from `StringView::getUTF16Ref` can be invalidated by
appending more contents to the same allocator.
This case was encountered in `transientObjectPutErrorMessage`, resulting in
using free'd memory.

Reviewed By: tmikov

Differential Revision: D23034855

fbshipit-source-id: 4c25a5369934bf3bdfc5582385503f4b87de3792
  • Loading branch information
dulinriley authored and facebook-github-bot committed Aug 14, 2020
1 parent 1c6d46a commit d86e185
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
4 changes: 2 additions & 2 deletions include/hermes/VM/StringView.h
Expand Up @@ -319,9 +319,9 @@ class StringView {
/// If the string is already UTF16, we return the pointer directly;
/// otherwise (it's ASCII) we copy the string into the end of \p allocator,
/// and \return a pointer to the beginning of this string in the allocator.
/// Note: \p allocator does not need to be empty when passed in. We always
/// append.
/// \pre allocator must be empty when passed in.
UTF16Ref getUTF16Ref(llvh::SmallVectorImpl<char16_t> &allocator) const {
assert(allocator.empty() && "Shouldn't use a non-empty allocator");
return getUTF16Ref(allocator, false);
}

Expand Down
7 changes: 4 additions & 3 deletions lib/VM/Interpreter.cpp
Expand Up @@ -445,11 +445,12 @@ transientObjectPutErrorMessage(Runtime *runtime, Handle<> base, SymbolID id) {
StringView valueAsStringPrintable =
StringPrimitive::createStringView(runtime, valueAsString);

SmallU16String<32> tmp;
SmallU16String<32> tmp1;
SmallU16String<32> tmp2;
return runtime->raiseTypeError(
TwineChar16("Cannot create property '") + propName + "' on " +
baseTypeAsString.getUTF16Ref(tmp) + " '" +
valueAsStringPrintable.getUTF16Ref(tmp) + "'");
baseTypeAsString.getUTF16Ref(tmp1) + " '" +
valueAsStringPrintable.getUTF16Ref(tmp2) + "'");
}

ExecutionStatus Interpreter::putByIdTransient_RJS(
Expand Down

0 comments on commit d86e185

Please sign in to comment.