Google Git
Sign in
webkit / WebKit / 41705de6722f3f600e0f0fb1e73f5c33a8ff5025
commit41705de6722f3f600e0f0fb1e73f5c33a8ff5025[log] [tgz]
authorbdash <bdash@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Aug 02 09:33:22 2007 +0000
committerbdash <bdash@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Aug 02 09:33:22 2007 +0000
treed4caad0c2d5b49da96b149c8ab18447033a24a16
parent26ada600965ab7d1691ae97ea2631aafb26bc6f5 [diff]
2007-08-02  Mark Rowe  <mrowe@apple.com>

        Reviewed by Maciej.

        <rdar://problem/5352887> "Out of memory" error during repeated JS string concatenation leaks hundreds of MBs of RAM

        A call to fastRealloc was failing which lead to UString::expandCapacity leaking the buffer it was trying to reallocate.
        It also resulted in the underlying UString::rep having both a null baseString and buf field, which meant that attempting
        to access the contents of the string after the failed memory reallocation would crash.

        A third issue is that expandedSize size was calculating the new length in a way that led to an integer overflow occurring.
        Attempting to allocate a string more than 190,000,000 characters long would fail a the integer overflow would lead to a
        memory allocation of around 3.6GB being attempted rather than the expected 390MB.  Sizes that would lead to an overflow
        are now  returned as zero and callers are updated to treat this as though the memory allocation has failed.

        * kjs/array_object.cpp:
        (ArrayProtoFunc::callAsFunction): Check whether the append failed and raise an "Out of memory" exception if it did.
        * kjs/ustring.cpp:
        (KJS::allocChars): Wrapper around fastMalloc that takes a length in characters.  It will return 0 when asked to allocate a zero-length buffer.
        (KJS::reallocChars): Wrapper around fastRealloc that takes a length in characters.  It will return 0 when asked to allocate a zero-length buffer.
        (KJS::UString::expandedSize): Split the size calculation in two and guard against overflow during each step.
        (KJS::UString::expandCapacity): Don't leak r->buf if reallocation fails.  Instead free the memory and use the null representation.
        (KJS::UString::expandPreCapacity): If fastMalloc fails then use the null representation rather than crashing in memcpy.
        (KJS::UString::UString): If calls to expandCapacity, expandPreCapacity or fastMalloc fail then use the null representation rather than crashing in memcpy.
        (KJS::UString::append): Ditto.
        (KJS::UString::operator=): Ditto.
        * kjs/ustring.h: Change return type of expandedSize from int to size_t.

2007-08-02  Mark Rowe  <mrowe@apple.com>

        Reviewed by Maciej.

        <rdar://problem/5352887> "Out of memory" error during repeated JS string concatenation leaks hundreds of MBs of RAM

        Update test to check that accessing the string after the "Out of memory" exception was raised does not crash.

        * fast/js/resources/string-concatenate-outofmemory.js:
        * fast/js/string-concatenate-outofmemory-expected.txt:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@24820 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7 files changed
tree: d4caad0c2d5b49da96b149c8ab18447033a24a16
  1. Bakefiles/
  2. JavaScriptCore/
  3. JavaScriptGlue/
  4. LayoutTests/
  5. PageLoadTests/
  6. WebCore/
  7. WebKit/
  8. WebKitLibraries/
  9. WebKitQt/
  10. WebKitSite/
  11. WebKitTools/
  12. ChangeLog
  13. Makefile
  14. Makefile.shared
  15. WebKit.pri
  16. WebKit.pro