Modified: trunk/JSTests/ChangeLog (248715 => 248716)
--- trunk/JSTests/ChangeLog 2019-08-15 16:02:26 UTC (rev 248715)
+++ trunk/JSTests/ChangeLog 2019-08-15 16:31:19 UTC (rev 248716)
@@ -1,3 +1,15 @@
+2019-08-15 Mark Lam <mark....@apple.com>
+
+ More missing exception checks in String.prototype.
+ https://bugs.webkit.org/show_bug.cgi?id=200762
+ <rdar://problem/54333896>
+
+ Reviewed by Michael Saboff.
+
+ * stress/missing-exception-check-in-string-lastIndexOf.js: Added.
+ * stress/missing-exception-check-in-string-toLower.js: Added.
+ * stress/missing-exception-check-in-string-toUpper.js: Added.
+
2019-08-14 Mark Lam <mark....@apple.com>
ProxyObject should not be allow to access its target's private properties.
Added: trunk/JSTests/stress/missing-exception-check-in-string-lastIndexOf.js (0 => 248716)
--- trunk/JSTests/stress/missing-exception-check-in-string-lastIndexOf.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-lastIndexOf.js 2019-08-15 16:31:19 UTC (rev 248716)
@@ -0,0 +1,9 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s1.lastIndexOf();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Added: trunk/JSTests/stress/missing-exception-check-in-string-toLower.js (0 => 248716)
--- trunk/JSTests/stress/missing-exception-check-in-string-toLower.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-toLower.js 2019-08-15 16:31:19 UTC (rev 248716)
@@ -0,0 +1,9 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s1.toLowerCase();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Added: trunk/JSTests/stress/missing-exception-check-in-string-toUpper.js (0 => 248716)
--- trunk/JSTests/stress/missing-exception-check-in-string-toUpper.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-toUpper.js 2019-08-15 16:31:19 UTC (rev 248716)
@@ -0,0 +1,9 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s1.toUpperCase();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (248715 => 248716)
--- trunk/Source/_javascript_Core/ChangeLog 2019-08-15 16:02:26 UTC (rev 248715)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-08-15 16:31:19 UTC (rev 248716)
@@ -1,3 +1,18 @@
+2019-08-15 Mark Lam <mark....@apple.com>
+
+ More missing exception checks in String.prototype.
+ https://bugs.webkit.org/show_bug.cgi?id=200762
+ <rdar://problem/54333896>
+
+ Reviewed by Michael Saboff.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::replaceUsingRegExpSearch):
+ (JSC::operationStringProtoFuncReplaceRegExpString):
+ (JSC::stringProtoFuncLastIndexOf):
+ (JSC::stringProtoFuncToLowerCase):
+ (JSC::stringProtoFuncToUpperCase):
+
2019-08-15 Joseph Pecoraro <pecor...@apple.com>
for-await-of has bad error message if used in non-async function
Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (248715 => 248716)
--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2019-08-15 16:02:26 UTC (rev 248715)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2019-08-15 16:31:19 UTC (rev 248716)
@@ -529,6 +529,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
String source = string->value(exec);
+ RETURN_IF_EXCEPTION(scope, nullptr);
unsigned sourceLen = source.length();
RETURN_IF_EXCEPTION(scope, nullptr);
RegExpObject* regExpObject = jsCast<RegExpObject*>(searchValue);
@@ -754,11 +755,13 @@
{
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
-
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
CallData callData;
String replacementString = replaceString->value(exec);
- return replaceUsingRegExpSearch(
- vm, exec, thisValue, searchValue, callData, CallType::None, replacementString, replaceString);
+ RETURN_IF_EXCEPTION(scope, nullptr);
+ RELEASE_AND_RETURN(scope, replaceUsingRegExpSearch(
+ vm, exec, thisValue, searchValue, callData, CallType::None, replacementString, replaceString));
}
static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(VM& vm, ExecState* exec, JSString* string, JSValue searchValue, JSValue replaceValue)
@@ -1125,7 +1128,9 @@
return JSValue::encode(jsNumber(-1));
String thisString = thisJSString->value(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
String otherString = otherJSString->value(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
size_t result;
if (!startPosition)
result = thisString.startsWith(otherString) ? 0 : notFound;
@@ -1446,6 +1451,7 @@
JSString* sVal = thisValue.toString(exec);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
String s = sVal->value(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
String lowercasedString = s.convertToLowercaseWithoutLocale();
if (lowercasedString.impl() == s.impl())
return JSValue::encode(sVal);
@@ -1463,6 +1469,7 @@
JSString* sVal = thisValue.toString(exec);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
String s = sVal->value(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
String uppercasedString = s.convertToUppercaseWithoutLocale();
if (uppercasedString.impl() == s.impl())
return JSValue::encode(sVal);
