Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (201786 => 201787)
--- trunk/Source/_javascript_Core/ChangeLog 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-06-08 02:53:32 UTC (rev 201787)
@@ -1,3 +1,50 @@
+2016-06-07 Mark Lam <[email protected]>
+
+ Need an exception check after constructEmptyArray().
+ https://bugs.webkit.org/show_bug.cgi?id=158411
+
+ Reviewed by Saam Barati.
+
+ Added an exception check after each call to constructEmptyArray().
+
+ * inspector/JSInjectedScriptHost.cpp:
+ (Inspector::JSInjectedScriptHost::getInternalProperties):
+ (Inspector::JSInjectedScriptHost::weakMapEntries):
+ (Inspector::JSInjectedScriptHost::weakSetEntries):
+ (Inspector::JSInjectedScriptHost::iteratorEntries):
+ * interpreter/ShadowChicken.cpp:
+ (JSC::ShadowChicken::functionsOnStack):
+ * profiler/ProfilerBytecodeSequence.cpp:
+ (JSC::Profiler::BytecodeSequence::addSequenceProperties):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::toJS):
+ * profiler/ProfilerOSRExitSite.cpp:
+ (JSC::Profiler::OSRExitSite::toJS):
+ * profiler/ProfilerOriginStack.cpp:
+ (JSC::Profiler::OriginStack::toJS):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ * runtime/LiteralParser.cpp:
+ (JSC::LiteralParser<CharType>::parse):
+ * runtime/ModuleLoaderObject.cpp:
+ (JSC::moduleLoaderObjectRequestedModules):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::ownPropertyKeys):
+ * runtime/RegExpObject.cpp:
+ (JSC::collectMatches):
+ * runtime/RegExpPrototype.cpp:
+ (JSC::regExpProtoFuncSplitFast):
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncSplitFast):
+ * runtime/TemplateRegistry.cpp:
+ (JSC::TemplateRegistry::getTemplateObject):
+
+ * tests/stress/regress-158411.js: Added.
+
2016-06-07 Filip Pizlo <[email protected]>
Implement Air::allocateStack() in ES6 to see how much of a bad idea that is
Modified: trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -257,11 +257,14 @@
if (exec->argumentCount() < 1)
return jsUndefined();
+ VM& vm = exec->vm();
JSValue value = exec->uncheckedArgument(0);
if (JSPromise* promise = jsDynamicCast<JSPromise*>(value)) {
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
switch (promise->status(exec->vm())) {
case JSPromise::Status::Pending:
array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("status"), jsNontrivialString(exec, ASCIILiteral("pending"))));
@@ -282,6 +285,8 @@
if (JSBoundFunction* boundFunction = jsDynamicCast<JSBoundFunction*>(value)) {
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "targetFunction", boundFunction->targetFunction()));
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundThis", boundFunction->boundThis()));
if (boundFunction->boundArgs())
@@ -292,6 +297,8 @@
if (ProxyObject* proxy = jsDynamicCast<ProxyObject*>(value)) {
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 2);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("target"), proxy->target()));
array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("handler"), proxy->handler()));
return array;
@@ -304,6 +311,8 @@
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 2);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", iteratedValue));
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", kind));
return array;
@@ -325,6 +334,8 @@
}
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 2);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", arrayIterator->iteratedValue(exec)));
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
return array;
@@ -345,6 +356,8 @@
}
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 2);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "map", mapIterator->iteratedValue()));
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
return array;
@@ -365,6 +378,8 @@
}
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 2);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "set", setIterator->iteratedValue()));
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
return array;
@@ -373,6 +388,8 @@
if (JSStringIterator* stringIterator = jsDynamicCast<JSStringIterator*>(value)) {
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 1);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "string", stringIterator->iteratedValue(exec)));
return array;
}
@@ -380,6 +397,8 @@
if (JSPropertyNameIterator* propertyNameIterator = jsDynamicCast<JSPropertyNameIterator*>(value)) {
unsigned index = 0;
JSArray* array = constructEmptyArray(exec, nullptr, 1);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
array->putDirectIndex(exec, index++, constructInternalProperty(exec, "object", propertyNameIterator->iteratedValue()));
return array;
}
@@ -405,6 +424,7 @@
if (exec->argumentCount() < 1)
return jsUndefined();
+ VM& vm = exec->vm();
JSValue value = exec->uncheckedArgument(0);
JSWeakMap* weakMap = jsDynamicCast<JSWeakMap*>(value);
if (!weakMap)
@@ -419,6 +439,8 @@
numberToFetch = static_cast<unsigned>(fetchDouble);
JSArray* array = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (auto it = weakMap->weakMapData()->begin(); it != weakMap->weakMapData()->end(); ++it) {
JSObject* entry = constructEmptyObject(exec);
entry->putDirect(exec->vm(), Identifier::fromString(exec, "key"), it->key);
@@ -449,6 +471,7 @@
if (exec->argumentCount() < 1)
return jsUndefined();
+ VM& vm = exec->vm();
JSValue value = exec->uncheckedArgument(0);
JSWeakSet* weakSet = jsDynamicCast<JSWeakSet*>(value);
if (!weakSet)
@@ -463,6 +486,8 @@
numberToFetch = static_cast<unsigned>(fetchDouble);
JSArray* array = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (auto it = weakSet->weakMapData()->begin(); it != weakSet->weakMapData()->end(); ++it) {
JSObject* entry = constructEmptyObject(exec);
entry->putDirect(exec->vm(), Identifier::fromString(exec, "value"), it->key);
@@ -501,7 +526,7 @@
iterator = stringIterator->clone(exec);
else if (JSPropertyNameIterator* propertyNameIterator = jsDynamicCast<JSPropertyNameIterator*>(value)) {
iterator = propertyNameIterator->clone(exec);
- if (UNLIKELY(exec->hadException()))
+ if (UNLIKELY(vm.exception()))
return JSValue();
} else {
if (JSObject* iteratorObject = jsDynamicCast<JSObject*>(value)) {
@@ -521,16 +546,18 @@
numberToFetch = static_cast<unsigned>(fetchDouble);
JSArray* array = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < numberToFetch; ++i) {
JSValue next = iteratorStep(exec, iterator);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
break;
if (next.isFalse())
break;
JSValue nextValue = iteratorValue(exec, next);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
break;
JSObject* entry = constructEmptyObject(exec);
Modified: trunk/Source/_javascript_Core/interpreter/ShadowChicken.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/interpreter/ShadowChicken.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/interpreter/ShadowChicken.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -435,10 +435,13 @@
JSArray* ShadowChicken::functionsOnStack(ExecState* exec)
{
+ VM& vm = exec->vm();
JSArray* result = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return nullptr;
iterate(
- exec->vm(), exec,
+ vm, exec,
[&] (const Frame& frame) -> bool {
result->push(exec, frame.callee);
return true;
Modified: trunk/Source/_javascript_Core/profiler/ProfilerBytecodeSequence.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/profiler/ProfilerBytecodeSequence.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/profiler/ProfilerBytecodeSequence.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -77,15 +77,20 @@
void BytecodeSequence::addSequenceProperties(ExecState* exec, JSObject* result) const
{
+ VM& vm = exec->vm();
JSArray* header = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return;
for (unsigned i = 0; i < m_header.size(); ++i)
header->putDirectIndex(exec, i, jsString(exec, String::fromUTF8(m_header[i])));
- result->putDirect(exec->vm(), exec->propertyNames().header, header);
+ result->putDirect(vm, exec->propertyNames().header, header);
JSArray* sequence = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return;
for (unsigned i = 0; i < m_sequence.size(); ++i)
sequence->putDirectIndex(exec, i, m_sequence[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().bytecode, sequence);
+ result->putDirect(vm, exec->propertyNames().bytecode, sequence);
}
} } // namespace JSC::Profiler
Modified: trunk/Source/_javascript_Core/profiler/ProfilerCompilation.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/profiler/ProfilerCompilation.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/profiler/ProfilerCompilation.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -114,48 +114,60 @@
JSValue Compilation::toJS(ExecState* exec) const
{
+ VM& vm = exec->vm();
JSObject* result = constructEmptyObject(exec);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
+ result->putDirect(vm, exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
+ result->putDirect(vm, exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
- result->putDirect(exec->vm(), exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
- result->putDirect(exec->vm(), exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
-
JSArray* profiledBytecodes = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_profiledBytecodes.size(); ++i)
profiledBytecodes->putDirectIndex(exec, i, m_profiledBytecodes[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().profiledBytecodes, profiledBytecodes);
+ result->putDirect(vm, exec->propertyNames().profiledBytecodes, profiledBytecodes);
JSArray* descriptions = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_descriptions.size(); ++i)
descriptions->putDirectIndex(exec, i, m_descriptions[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().descriptions, descriptions);
+ result->putDirect(vm, exec->propertyNames().descriptions, descriptions);
JSArray* counters = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (auto it = m_counters.begin(), end = m_counters.end(); it != end; ++it) {
JSObject* counterEntry = constructEmptyObject(exec);
- counterEntry->putDirect(exec->vm(), exec->propertyNames().origin, it->key.toJS(exec));
- counterEntry->putDirect(exec->vm(), exec->propertyNames().executionCount, jsNumber(it->value->count()));
+ counterEntry->putDirect(vm, exec->propertyNames().origin, it->key.toJS(exec));
+ counterEntry->putDirect(vm, exec->propertyNames().executionCount, jsNumber(it->value->count()));
counters->push(exec, counterEntry);
}
- result->putDirect(exec->vm(), exec->propertyNames().counters, counters);
+ result->putDirect(vm, exec->propertyNames().counters, counters);
JSArray* exitSites = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_osrExitSites.size(); ++i)
exitSites->putDirectIndex(exec, i, m_osrExitSites[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().osrExitSites, exitSites);
+ result->putDirect(vm, exec->propertyNames().osrExitSites, exitSites);
JSArray* exits = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_osrExits.size(); ++i)
exits->putDirectIndex(exec, i, m_osrExits[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().osrExits, exits);
+ result->putDirect(vm, exec->propertyNames().osrExits, exits);
- result->putDirect(exec->vm(), exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
- result->putDirect(exec->vm(), exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
- result->putDirect(exec->vm(), exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
- result->putDirect(exec->vm(), exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
+ result->putDirect(vm, exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
+ result->putDirect(vm, exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
+ result->putDirect(vm, exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
+ result->putDirect(vm, exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
if (!m_additionalJettisonReason.isNull())
- result->putDirect(exec->vm(), exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
+ result->putDirect(vm, exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
- result->putDirect(exec->vm(), exec->propertyNames().uid, m_uid.toJS(exec));
+ result->putDirect(vm, exec->propertyNames().uid, m_uid.toJS(exec));
return result;
}
Modified: trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -99,22 +99,29 @@
JSValue Database::toJS(ExecState* exec) const
{
+ VM& vm = exec->vm();
JSObject* result = constructEmptyObject(exec);
JSArray* bytecodes = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_bytecodes.size(); ++i)
bytecodes->putDirectIndex(exec, i, m_bytecodes[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().bytecodes, bytecodes);
+ result->putDirect(vm, exec->propertyNames().bytecodes, bytecodes);
JSArray* compilations = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_compilations.size(); ++i)
compilations->putDirectIndex(exec, i, m_compilations[i]->toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().compilations, compilations);
+ result->putDirect(vm, exec->propertyNames().compilations, compilations);
JSArray* events = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_events.size(); ++i)
events->putDirectIndex(exec, i, m_events[i].toJS(exec));
- result->putDirect(exec->vm(), exec->propertyNames().events, events);
+ result->putDirect(vm, exec->propertyNames().events, events);
return result;
}
Modified: trunk/Source/_javascript_Core/profiler/ProfilerOSRExitSite.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/profiler/ProfilerOSRExitSite.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/profiler/ProfilerOSRExitSite.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -36,7 +36,10 @@
JSValue OSRExitSite::toJS(ExecState* exec) const
{
+ VM& vm = exec->vm();
JSArray* result = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_codeAddresses.size(); ++i)
result->putDirectIndex(exec, i, jsString(exec, toString(RawPointer(m_codeAddresses[i]))));
return result;
Modified: trunk/Source/_javascript_Core/profiler/ProfilerOriginStack.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/profiler/ProfilerOriginStack.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/profiler/ProfilerOriginStack.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -100,7 +100,10 @@
JSValue OriginStack::toJS(ExecState* exec) const
{
+ VM& vm = exec->vm();
JSArray* result = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (unsigned i = 0; i < m_stack.size(); ++i)
result->putDirectIndex(exec, i, m_stack[i].toJS(exec));
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -590,6 +590,7 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
{
+ VM& vm = exec->vm();
JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
unsigned argCount = exec->argumentCount();
JSValue curArg = thisValue.toObject(exec);
@@ -610,7 +611,7 @@
if (currentArray) {
// Can't use JSArray::length here because this might be a RuntimeArray!
finalArraySize += getLength(exec, currentArray);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
} else
++finalArraySize;
@@ -636,22 +637,22 @@
else {
// We add the newTarget because the compiler gets confused between 0 being a number and a pointer.
result = constructEmptyArray(exec, nullptr, 0, JSValue());
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
}
curArg = thisValue.toObject(exec);
- ASSERT(!exec->hadException());
+ ASSERT(!vm.exception());
unsigned n = 0;
for (unsigned i = 0; ; ++i) {
if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
// Can't use JSArray::length here because this might be a RuntimeArray!
unsigned length = getLength(exec, currentArray);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
for (unsigned k = 0; k < length; ++k) {
JSValue v = getProperty(exec, currentArray, k);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
if (v)
result->putDirectIndex(exec, n, v);
@@ -846,11 +847,12 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec)
{
// http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
+ VM& vm = exec->vm();
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
if (!thisObj)
return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
@@ -869,13 +871,16 @@
JSObject* result;
if (speciesResult.first == SpeciesConstructResult::CreatedObject)
result = speciesResult.second;
- else
+ else {
result = constructEmptyArray(exec, nullptr, end - begin);
+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
+ }
unsigned n = 0;
for (unsigned k = begin; k < end; k++, n++) {
JSValue v = getProperty(exec, thisObj, k);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
if (v)
result->putDirectIndex(exec, n, v);
@@ -894,7 +899,7 @@
if (!thisObj)
return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
if (!exec->argumentCount()) {
@@ -905,8 +910,11 @@
JSObject* result;
if (speciesResult.first == SpeciesConstructResult::CreatedObject)
result = speciesResult.second;
- else
+ else {
result = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
+ }
setLength(exec, result, 0);
return JSValue::encode(result);
@@ -939,10 +947,10 @@
for (unsigned k = 0; k < deleteCount; ++k) {
JSValue v = getProperty(exec, thisObj, k + begin);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
result->putByIndexInline(exec, k, v, true);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
}
} else {
@@ -952,7 +960,7 @@
for (unsigned k = 0; k < deleteCount; ++k) {
JSValue v = getProperty(exec, thisObj, k + begin);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
result->initializeIndex(vm, k, v);
}
@@ -962,16 +970,16 @@
unsigned additionalArgs = std::max<int>(exec->argumentCount() - 2, 0);
if (additionalArgs < deleteCount) {
shift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
} else if (additionalArgs > deleteCount) {
unshift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
}
for (unsigned k = 0; k < additionalArgs; ++k) {
thisObj->putByIndexInline(exec, k + begin, exec->uncheckedArgument(k + 2), true);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
}
Modified: trunk/Source/_javascript_Core/runtime/LiteralParser.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/LiteralParser.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/LiteralParser.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -583,6 +583,8 @@
startParseArray:
case StartParseArray: {
JSArray* array = constructEmptyArray(m_exec, 0);
+ if (UNLIKELY(m_exec->hadException()))
+ return JSValue();
objectStack.append(array);
}
doParseArrayStartExpression:
Modified: trunk/Source/_javascript_Core/runtime/ModuleLoaderObject.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/ModuleLoaderObject.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/ModuleLoaderObject.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -297,6 +297,8 @@
return JSValue::encode(constructEmptyArray(exec, nullptr));
JSArray* result = constructEmptyArray(exec, nullptr, moduleRecord->requestedModules().size());
+ if (UNLIKELY(exec->hadException()))
+ JSValue::encode(jsUndefined());
size_t i = 0;
for (auto& key : moduleRecord->requestedModules())
result->putDirectIndex(exec, i++, jsString(exec, key.get()));
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -703,12 +703,15 @@
// FIXME: Use the enumeration cache.
JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode propertyNameMode, DontEnumPropertiesMode dontEnumPropertiesMode)
{
+ VM& vm = exec->vm();
PropertyNameArray properties(exec, propertyNameMode);
- object->methodTable(exec->vm())->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
- if (exec->hadException())
+ object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
+ if (UNLIKELY(vm.exception()))
return nullptr;
JSArray* keys = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return nullptr;
switch (propertyNameMode) {
case PropertyNameMode::Strings: {
@@ -727,7 +730,7 @@
const auto& identifier = properties[i];
ASSERT(identifier.isSymbol());
if (!exec->propertyNames().isPrivateName(identifier))
- keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
+ keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
}
break;
}
@@ -746,7 +749,7 @@
// To ensure the order defined in the spec (9.1.12), we append symbols at the last elements of keys.
for (const auto& identifier : propertySymbols)
- keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
+ keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
break;
}
Modified: trunk/Source/_javascript_Core/runtime/RegExpObject.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/RegExpObject.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/RegExpObject.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -179,6 +179,8 @@
static unsigned maxSizeForDirectPath = 100000;
JSArray* array = constructEmptyArray(exec, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
auto iterate = [&] () {
size_t end = result.end;
Modified: trunk/Source/_javascript_Core/runtime/RegExpPrototype.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/RegExpPrototype.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/RegExpPrototype.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -563,6 +563,8 @@
// 11. Let A be ArrayCreate(0).
// 12. Let lengthA be 0.
JSArray* result = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
unsigned resultLength = 0;
// 13. If limit is undefined, let lim be 2^32-1; else let lim be ? ToUint32(limit).
Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -1082,19 +1082,22 @@
// ES 21.1.3.17 String.prototype.split(separator, limit)
EncodedJSValue JSC_HOST_CALL stringProtoFuncSplitFast(ExecState* exec)
{
+ VM& vm = exec->vm();
JSValue thisValue = exec->thisValue();
ASSERT(checkObjectCoercible(thisValue));
// 3. Let S be the result of calling ToString, giving it the this value as its argument.
// 7. Let s be the number of characters in S.
String input = thisValue.toString(exec)->value(exec);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
ASSERT(!input.isNull());
// 4. Let A be a new array created as if by the _expression_ new Array()
// where Array is the standard built-in constructor with that name.
JSArray* result = constructEmptyArray(exec, 0);
+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
// 5. Let lengthA be 0.
unsigned resultLength = 0;
@@ -1110,7 +1113,7 @@
// otherwise let R = ToString(separator).
JSValue separatorValue = exec->uncheckedArgument(0);
String separator = separatorValue.toString(exec)->value(exec);
- if (exec->hadException())
+ if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
// 10. If lim == 0, return A.
Modified: trunk/Source/_javascript_Core/runtime/TemplateRegistry.cpp (201786 => 201787)
--- trunk/Source/_javascript_Core/runtime/TemplateRegistry.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/_javascript_Core/runtime/TemplateRegistry.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -45,9 +45,14 @@
if (cached)
return cached;
+ VM& vm = exec->vm();
unsigned count = templateKey.cookedStrings().size();
JSArray* templateObject = constructEmptyArray(exec, nullptr, count);
+ if (UNLIKELY(vm.exception()))
+ return nullptr;
JSArray* rawObject = constructEmptyArray(exec, nullptr, count);
+ if (UNLIKELY(vm.exception()))
+ return nullptr;
for (unsigned index = 0; index < count; ++index) {
templateObject->putDirectIndex(exec, index, jsString(exec, templateKey.cookedStrings()[index]), ReadOnly | DontDelete, PutDirectIndexLikePutDirect);
@@ -57,7 +62,7 @@
objectConstructorFreeze(exec, rawObject);
ASSERT(!exec->hadException());
- templateObject->putDirect(exec->vm(), exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
+ templateObject->putDirect(vm, exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
objectConstructorFreeze(exec, templateObject);
ASSERT(!exec->hadException());
Added: trunk/Source/_javascript_Core/tests/stress/regress-158411.js (0 => 201787)
--- trunk/Source/_javascript_Core/tests/stress/regress-158411.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-158411.js 2016-06-08 02:53:32 UTC (rev 201787)
@@ -0,0 +1,11 @@
+//@ defaultNoSamplingProfilerRun
+
+// Should not crash.
+try {
+ function foo(){
+ [].slice({});
+ foo();
+ }
+ foo();
+} catch (e) {
+}
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (201786 => 201787)
--- trunk/Source/WebCore/ChangeLog 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/ChangeLog 2016-06-08 02:53:32 UTC (rev 201787)
@@ -1,3 +1,26 @@
+2016-06-07 Mark Lam <[email protected]>
+
+ Need an exception check after constructEmptyArray().
+ https://bugs.webkit.org/show_bug.cgi?id=158411
+
+ Reviewed by Saam Barati.
+
+ A stress test for this was added in _javascript_Core.
+
+ * bindings/js/IDBBindingUtilities.cpp:
+ (WebCore::toJS):
+ * bindings/js/JSCommandLineAPIHostCustom.cpp:
+ (WebCore::getJSListenerFunctions):
+ * bindings/js/JSCryptoKeySerializationJWK.cpp:
+ (WebCore::buildJSONForRSAComponents):
+ (WebCore::addBoolToJSON):
+ (WebCore::addUsagesToJSON):
+ (WebCore::JSCryptoKeySerializationJWK::serialize):
+ * bindings/js/JSDOMBinding.h:
+ (WebCore::toJS):
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::deserialize):
+
2016-06-07 Antoine Quint <[email protected]>
The backdrop-filter property does not respect border-radius
Modified: trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp (201786 => 201787)
--- trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -88,16 +88,19 @@
return jsUndefined();
}
- Locker<JSLock> locker(state.vm().apiLock());
+ VM& vm = state.vm();
+ Locker<JSLock> locker(vm.apiLock());
switch (key->type()) {
case KeyType::Array: {
auto& inArray = key->array();
unsigned size = inArray.size();
- auto& outArray = *constructEmptyArray(&state, 0, &globalObject, size);
+ auto outArray = constructEmptyArray(&state, 0, &globalObject, size);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
for (size_t i = 0; i < size; ++i)
- outArray.putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
- return &outArray;
+ outArray->putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
+ return outArray;
}
case KeyType::String:
return jsStringWithCache(&state, key->string());
Modified: trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp (201786 => 201787)
--- trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -67,7 +67,10 @@
static JSArray* getJSListenerFunctions(ExecState& state, Document* document, const EventListenerInfo& listenerInfo)
{
+ VM& vm = state.vm();
JSArray* result = constructEmptyArray(&state, nullptr);
+ if (UNLIKELY(vm.exception()))
+ return nullptr;
size_t handlersCount = listenerInfo.eventListenerVector.size();
for (size_t i = 0, outputIndex = 0; i < handlersCount; ++i) {
const JSEventListener* jsListener = JSEventListener::cast(listenerInfo.eventListenerVector[i].listener.get());
@@ -85,8 +88,8 @@
continue;
JSObject* listenerEntry = constructEmptyObject(&state);
- listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "listener"), function);
- listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
+ listenerEntry->putDirect(vm, Identifier::fromString(&state, "listener"), function);
+ listenerEntry->putDirect(vm, Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
result->putDirectIndex(&state, outputIndex++, JSValue(listenerEntry));
}
return result;
Modified: trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp (201786 => 201787)
--- trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -534,7 +534,10 @@
if (data.otherPrimeInfos().isEmpty())
return;
+ VM& vm = exec->vm();
JSArray* oth = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), data.otherPrimeInfos().size());
+ if (UNLIKELY(vm.exception()))
+ return;
for (size_t i = 0, size = data.otherPrimeInfos().size(); i < size; ++i) {
JSObject* jsPrimeInfo = constructEmptyObject(exec);
addToJSON(exec, jsPrimeInfo, "r", base64URLEncode(data.otherPrimeInfos()[i].primeFactor));
@@ -542,7 +545,7 @@
addToJSON(exec, jsPrimeInfo, "t", base64URLEncode(data.otherPrimeInfos()[i].factorCRTCoefficient));
oth->putDirectIndex(exec, i, jsPrimeInfo);
}
- result->putDirect(exec->vm(), Identifier::fromString(exec, "oth"), oth);
+ result->putDirect(vm, Identifier::fromString(exec, "oth"), oth);
}
static void addBoolToJSON(ExecState* exec, JSObject* json, const char* key, bool value)
@@ -655,7 +658,10 @@
static void addUsagesToJSON(ExecState* exec, JSObject* json, CryptoKeyUsage usages)
{
+ VM& vm = exec->vm();
JSArray* keyOps = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), 0);
+ if (UNLIKELY(vm.exception()))
+ return;
unsigned index = 0;
if (usages & CryptoKeyUsageSign)
@@ -675,7 +681,7 @@
if (usages & CryptoKeyUsageDeriveBits)
keyOps->putDirectIndex(exec, index++, jsNontrivialString(exec, ASCIILiteral("deriveBits")));
- json->putDirect(exec->vm(), Identifier::fromString(exec, "key_ops"), keyOps);
+ json->putDirect(vm, Identifier::fromString(exec, "key_ops"), keyOps);
}
String JSCryptoKeySerializationJWK::serialize(ExecState* exec, const CryptoKey& key)
Modified: trunk/Source/WebCore/bindings/js/JSDOMBinding.h (201786 => 201787)
--- trunk/Source/WebCore/bindings/js/JSDOMBinding.h 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/JSDOMBinding.h 2016-06-08 02:53:32 UTC (rev 201787)
@@ -540,6 +540,8 @@
template<typename T> inline JSC::JSValue toJS(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, const Vector<T>& vector)
{
JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
+ if (UNLIKELY(exec->hadException()))
+ return JSC::jsUndefined();
for (size_t i = 0; i < vector.size(); ++i)
array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i]));
return array;
@@ -548,6 +550,8 @@
template<typename T> inline JSC::JSValue toJS(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, const Vector<RefPtr<T>>& vector)
{
JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
+ if (UNLIKELY(exec->hadException()))
+ return JSC::jsUndefined();
for (size_t i = 0; i < vector.size(); ++i)
array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i].get()));
return array;
Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (201786 => 201787)
--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-06-08 02:53:32 UTC (rev 201787)
@@ -2463,6 +2463,8 @@
goto error;
}
JSArray* outArray = constructEmptyArray(m_exec, 0, m_globalObject, length);
+ if (UNLIKELY(m_exec->hadException()))
+ goto error;
m_gcBuffer.append(outArray);
outputObjectStack.append(outArray);
}
