nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/css3/out-of-memory-in-css-tokeni...

4 lines
56 B
HTML
Raw Permalink Normal View History

Add handling for a case of OOME in CSSTokenizer and CSSParser. https://bugs.webkit.org/show_bug.cgi?id=213702 <rdar://problem/64808889> Reviewed by Darin Adler. Source/WebCore: We add a bool* constructionSuccess feedback argument to the private CSSTokenizer constructor. If construction fails and constructionSuccess is provided, the constructor will set *constructionSuccess to false. If construction fails and constructionSuccess is not provided, the constructor will crash with a failed RELEASE_ASSERT. In other words, the client may opt in to handle the failure to construct if it doesn't want the default behavior of crashing on failure. We also provide 2 convenience factory methods for CSSTokenizer which will return a null std::unique_ptr<CSSTokenizer> if construction fails. This is currently only used by CSSParserImpl, and ensures that its m_tokenizer is null if we fail to construct. This ensures that there isn't a pointer to a partially constructed tokenizer that some code may unknowingly use. The reason we don't force all clients of CSSTokenizer to use the factory methods instead is because there are clients that currently use on-stack instantiations of CSSTokenizer to do their work. We don't want to force them to switch to using a malloc instance. Currently, the constructors used by those clients do not provide a constructionSuccess argument to the underlying private constructor. Hence, for them, the CSSTokenizer constructor will crash if construction fails, which is how things work in pre-existing code. The only difference is that the crash is deferred till the client attempts to use the tokenizer instead of at construction time. As of this patch, only CSSParser::parseSupportsCondition() makes use of the new feedback mechanism, and handles OOME during CSSTokenizer construction by interpreting it as CSS not supporting the passed in condition string. Test: css3/out-of-memory-in-css-tokenizer.html * css/parser/CSSParser.cpp: (WebCore::CSSParser::parseSupportsCondition): * css/parser/CSSParserImpl.cpp: (WebCore::CSSParserImpl::CSSParserImpl): (WebCore::CSSParserImpl::failed const): * css/parser/CSSParserImpl.h: * css/parser/CSSTokenizer.cpp: (WebCore::CSSTokenizer::CSSTokenizer): * css/parser/CSSTokenizer.h: (WebCore::CSSTokenizer::failed const): Source/WTF: 1. Added FailureAction so that we can parameterize how we want to handle failures. In this patch, we're only using this for allocation failures, but we could technically apply this to other types of failures as well. 2. Apply FailureAction to many methods in Vector (and its super classes) so that we can start de-duplicating code. Previously, we were always duplicating code just to have a "try" version of the same method that reports the failure to allocate instead of crashing. We can now parameterize all these methods on a FailureAction template parameter instead, and avoid the code duplication. This patch also reverses some of the existing code duplication. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/FailureAction.h: Added. * wtf/Vector.h: (WTF::VectorBufferBase::allocateBuffer): (WTF::VectorBufferBase::tryAllocateBuffer): (WTF::VectorBuffer::allocateBuffer): (WTF::VectorBuffer::tryAllocateBuffer): (WTF::Vector::reserveCapacity): (WTF::Vector::tryReserveCapacity): (WTF::Vector::reserveInitialCapacity): (WTF::Vector::tryReserveInitialCapacity): (WTF::Vector::append): (WTF::Vector::tryAppend): (WTF::Vector::constructAndAppend): (WTF::Vector::tryConstructAndAppend): (WTF::Vector::expandCapacity): (WTF::Vector::resize): (WTF::Vector::grow): (WTF::Vector::reserveCapacity): (WTF::Vector::reserveInitialCapacity): (WTF::Vector::append): (WTF::Vector::constructAndAppend): (WTF::Vector::appendSlowCase): (WTF::Vector::constructAndAppendSlowCase): (WTF::Vector::appendVector): (WTF::Vector::insert): (WTF::Vector::tryExpandCapacity): Deleted. (WTF::Vector::tryReserveCapacity): Deleted. (WTF::Vector::tryAppend): Deleted. (WTF::Vector::tryConstructAndAppend): Deleted. (WTF::Vector::tryConstructAndAppendSlowCase): Deleted. LayoutTests: * css3/out-of-memory-in-css-tokenizer-expected.txt: Added. * css3/out-of-memory-in-css-tokenizer.html: Added. Canonical link: https://commits.webkit.org/226616@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@263771 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-06-30 21:17:01 +00:00
<script>
CSS.supports('a'.repeat(2**29 + 1));
</script>