[webkit-changes] [262388] trunk

[ysuzuki]

Title: [262388] trunk

Revision

262388

Author

ysuz...@apple.com

Date

2020-06-01 11:42:47 -0700 (Mon, 01 Jun 2020)

Log Message

[JSC] JSValue::toThis should not throw exception
https://bugs.webkit.org/show_bug.cgi?id=212595

Reviewed by Mark Lam.

JSTests:

* stress/number-proto.js: Added.
(shouldBe):

Source/_javascript_Core:

Including WebCore code, there are a lot of code which assume JSValue::toThis should not throw an exception.
This assumption was now broken after making JSBigInt allocation graceful for OOM. But for this particular JSValue::toThis case,
we can make it non-throwing code.

This patch makes JSValue::toThis non-throwing code to fix exception-missing debug assertions.
We ensure that BigIntObject can hold BigInt32 (actually, it can already if toObjectSlowCase path is taken).

* runtime/BigIntObject.cpp:
(JSC::BigIntObject::create):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toThisSlowCase const):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/BigIntObject.cpp
• trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp

Added Paths

• trunk/JSTests/stress/number-proto.js

Diff

Modified: trunk/JSTests/ChangeLog (262387 => 262388)

--- trunk/JSTests/ChangeLog	2020-06-01 18:21:50 UTC (rev 262387)
+++ trunk/JSTests/ChangeLog	2020-06-01 18:42:47 UTC (rev 262388)
@@ -1,3 +1,13 @@
+2020-06-01  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] JSValue::toThis should not throw exception
+        https://bugs.webkit.org/show_bug.cgi?id=212595
+
+        Reviewed by Mark Lam.
+
+        * stress/number-proto.js: Added.
+        (shouldBe):
+
 2020-06-01  Caio Lima  <ticaiol...@gmail.com>
 
         JSTests/exceptionFuzz/earley-boyer.js fails with early exception thrown.

Added: trunk/JSTests/stress/number-proto.js (0 => 262388)

--- trunk/JSTests/stress/number-proto.js	                        (rev 0)
+++ trunk/JSTests/stress/number-proto.js	2020-06-01 18:42:47 UTC (rev 262388)
@@ -0,0 +1,6 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+shouldBe(typeof (0).__proto__, `object`);

Modified: trunk/Source/_javascript_Core/ChangeLog (262387 => 262388)

--- trunk/Source/_javascript_Core/ChangeLog	2020-06-01 18:21:50 UTC (rev 262387)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-06-01 18:42:47 UTC (rev 262388)
@@ -1,5 +1,24 @@
 2020-06-01  Yusuke Suzuki  <ysuz...@apple.com>
 
+        [JSC] JSValue::toThis should not throw exception
+        https://bugs.webkit.org/show_bug.cgi?id=212595
+
+        Reviewed by Mark Lam.
+
+        Including WebCore code, there are a lot of code which assume JSValue::toThis should not throw an exception.
+        This assumption was now broken after making JSBigInt allocation graceful for OOM. But for this particular JSValue::toThis case,
+        we can make it non-throwing code.
+
+        This patch makes JSValue::toThis non-throwing code to fix exception-missing debug assertions.
+        We ensure that BigIntObject can hold BigInt32 (actually, it can already if toObjectSlowCase path is taken).
+
+        * runtime/BigIntObject.cpp:
+        (JSC::BigIntObject::create):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toThisSlowCase const):
+
+2020-06-01  Yusuke Suzuki  <ysuz...@apple.com>
+
         [JSC] BigInt operations should handle exception correctly
         https://bugs.webkit.org/show_bug.cgi?id=212596
 

Modified: trunk/Source/_javascript_Core/runtime/BigIntObject.cpp (262387 => 262388)

--- trunk/Source/_javascript_Core/runtime/BigIntObject.cpp	2020-06-01 18:21:50 UTC (rev 262387)
+++ trunk/Source/_javascript_Core/runtime/BigIntObject.cpp	2020-06-01 18:42:47 UTC (rev 262388)
@@ -38,6 +38,7 @@
 
 BigIntObject* BigIntObject::create(VM& vm, JSGlobalObject* globalObject, JSValue bigInt)
 {
+    ASSERT(bigInt.isBigInt());
     BigIntObject* object = new (NotNull, allocateCell<BigIntObject>(vm.heap)) BigIntObject(vm, globalObject->bigIntObjectStructure());
     object->finishCreation(vm, bigInt);
     return object;

Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (262387 => 262388)

--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp	2020-06-01 18:21:50 UTC (rev 262387)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp	2020-06-01 18:42:47 UTC (rev 262388)
@@ -119,7 +119,6 @@
 JSValue JSValue::toThisSlowCase(JSGlobalObject* globalObject, ECMAMode ecmaMode) const
 {
     VM& vm = globalObject->vm();
-    auto scope = DECLARE_THROW_SCOPE(vm);
 
     ASSERT(!isCell());
 
@@ -127,15 +126,12 @@
         return *this;
 
     if (isInt32() || isDouble())
-        RELEASE_AND_RETURN(scope, constructNumber(globalObject, asValue()));
+        return constructNumber(globalObject, asValue());
     if (isTrue() || isFalse())
-        RELEASE_AND_RETURN(scope, constructBooleanFromImmediateBoolean(globalObject, asValue()));
+        return constructBooleanFromImmediateBoolean(globalObject, asValue());
 #if USE(BIGINT32)
-    if (isBigInt32()) {
-        JSCell* heapBigInt = static_cast<JSCell*>(JSBigInt::createFrom(globalObject, bigInt32AsInt32()));
-        RETURN_IF_EXCEPTION(scope, { });
-        RELEASE_AND_RETURN(scope, heapBigInt->toObject(globalObject));
-    }
+    if (isBigInt32())
+        return BigIntObject::create(vm, globalObject, *this);
 #endif
 
     ASSERT(isUndefinedOrNull());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes