Modified: trunk/Source/_javascript_Core/ChangeLog (209029 => 209030)
--- trunk/Source/_javascript_Core/ChangeLog 2016-11-28 23:17:55 UTC (rev 209029)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-11-28 23:23:40 UTC (rev 209030)
@@ -1,5 +1,23 @@
2016-11-28 Mark Lam <mark....@apple.com>
+ Fix exception scope verification failures in runtime/Operations.cpp/h.
+ https://bugs.webkit.org/show_bug.cgi?id=165046
+
+ Reviewed by Saam Barati.
+
+ Also switched to using returning { } instead of JSValue().
+
+ * runtime/Operations.cpp:
+ (JSC::jsAddSlowCase):
+ (JSC::jsIsObjectTypeOrNull):
+ * runtime/Operations.h:
+ (JSC::jsStringFromRegisterArray):
+ (JSC::jsStringFromArguments):
+ (JSC::jsLess):
+ (JSC::jsLessEq):
+
+2016-11-28 Mark Lam <mark....@apple.com>
+
Fix exception scope verification failures in JSScope.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165047
Modified: trunk/Source/_javascript_Core/runtime/Operations.cpp (209029 => 209030)
--- trunk/Source/_javascript_Core/runtime/Operations.cpp 2016-11-28 23:17:55 UTC (rev 209029)
+++ trunk/Source/_javascript_Core/runtime/Operations.cpp 2016-11-28 23:23:40 UTC (rev 209030)
@@ -46,17 +46,28 @@
VM& vm = callFrame->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
JSValue p1 = v1.toPrimitive(callFrame);
- RETURN_IF_EXCEPTION(scope, JSValue());
+ RETURN_IF_EXCEPTION(scope, { });
JSValue p2 = v2.toPrimitive(callFrame);
- RETURN_IF_EXCEPTION(scope, JSValue());
+ RETURN_IF_EXCEPTION(scope, { });
- if (p1.isString())
- return jsString(callFrame, asString(p1), p2.toString(callFrame));
+ if (p1.isString()) {
+ JSString* p2String = p2.toString(callFrame);
+ RETURN_IF_EXCEPTION(scope, { });
+ scope.release();
+ return jsString(callFrame, asString(p1), p2String);
+ }
- if (p2.isString())
- return jsString(callFrame, p1.toString(callFrame), asString(p2));
+ if (p2.isString()) {
+ JSString* p1String = p1.toString(callFrame);
+ RETURN_IF_EXCEPTION(scope, { });
+ scope.release();
+ return jsString(callFrame, p1String, asString(p2));
+ }
- return jsNumber(p1.toNumber(callFrame) + p2.toNumber(callFrame));
+ double p1Number = p1.toNumber(callFrame);
+ RETURN_IF_EXCEPTION(scope, { });
+ scope.release();
+ return jsNumber(p1Number + p2.toNumber(callFrame));
}
JSValue jsTypeStringForValue(VM& vm, JSGlobalObject* globalObject, JSValue v)
@@ -96,6 +107,7 @@
bool jsIsObjectTypeOrNull(CallFrame* callFrame, JSValue v)
{
+ VM& vm = callFrame->vm();
if (!v.isCell())
return v.isNull();
@@ -103,11 +115,11 @@
if (type == StringType || type == SymbolType)
return false;
if (type >= ObjectType) {
- if (asObject(v)->structure(callFrame->vm())->masqueradesAsUndefined(callFrame->lexicalGlobalObject()))
+ if (asObject(v)->structure(vm)->masqueradesAsUndefined(callFrame->lexicalGlobalObject()))
return false;
CallData callData;
JSObject* object = asObject(v);
- if (object->methodTable(callFrame->vm())->getCallData(object, callData) != CallType::None)
+ if (object->methodTable(vm)->getCallData(object, callData) != CallType::None)
return false;
}
return true;
Modified: trunk/Source/_javascript_Core/runtime/Operations.h (209029 => 209030)
--- trunk/Source/_javascript_Core/runtime/Operations.h 2016-11-28 23:17:55 UTC (rev 209029)
+++ trunk/Source/_javascript_Core/runtime/Operations.h 2016-11-28 23:23:40 UTC (rev 209030)
@@ -126,7 +126,9 @@
for (unsigned i = 0; i < count; ++i) {
JSValue v = strings[-static_cast<int>(i)].jsValue();
- if (!ropeBuilder.append(v.toString(exec)))
+ JSString* string = v.toString(exec);
+ RETURN_IF_EXCEPTION(scope, { });
+ if (!ropeBuilder.append(string))
return throwOutOfMemoryError(exec, scope);
}
@@ -138,11 +140,15 @@
VM* vm = &exec->vm();
auto scope = DECLARE_THROW_SCOPE(*vm);
JSRopeString::RopeBuilder ropeBuilder(*vm);
- ropeBuilder.append(thisValue.toString(exec));
+ JSString* str = thisValue.toString(exec);
+ RETURN_IF_EXCEPTION(scope, { });
+ ropeBuilder.append(str);
for (unsigned i = 0; i < exec->argumentCount(); ++i) {
JSValue v = exec->argument(i);
- if (!ropeBuilder.append(v.toString(exec)))
+ JSString* str = v.toString(exec);
+ RETURN_IF_EXCEPTION(scope, { });
+ if (UNLIKELY(!ropeBuilder.append(str)))
return throwOutOfMemoryError(exec, scope);
}
@@ -155,6 +161,9 @@
template<bool leftFirst>
ALWAYS_INLINE bool jsLess(CallFrame* callFrame, JSValue v1, JSValue v2)
{
+ VM& vm = callFrame->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
if (v1.isInt32() && v2.isInt32())
return v1.asInt32() < v2.asInt32();
@@ -172,11 +181,14 @@
bool wasNotString2;
if (leftFirst) {
wasNotString1 = v1.getPrimitiveNumber(callFrame, n1, p1);
+ RETURN_IF_EXCEPTION(scope, false);
wasNotString2 = v2.getPrimitiveNumber(callFrame, n2, p2);
} else {
wasNotString2 = v2.getPrimitiveNumber(callFrame, n2, p2);
+ RETURN_IF_EXCEPTION(scope, false);
wasNotString1 = v1.getPrimitiveNumber(callFrame, n1, p1);
}
+ RETURN_IF_EXCEPTION(scope, false);
if (wasNotString1 | wasNotString2)
return n1 < n2;
@@ -189,6 +201,9 @@
template<bool leftFirst>
ALWAYS_INLINE bool jsLessEq(CallFrame* callFrame, JSValue v1, JSValue v2)
{
+ VM& vm = callFrame->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
if (v1.isInt32() && v2.isInt32())
return v1.asInt32() <= v2.asInt32();
@@ -206,11 +221,14 @@
bool wasNotString2;
if (leftFirst) {
wasNotString1 = v1.getPrimitiveNumber(callFrame, n1, p1);
+ RETURN_IF_EXCEPTION(scope, false);
wasNotString2 = v2.getPrimitiveNumber(callFrame, n2, p2);
} else {
wasNotString2 = v2.getPrimitiveNumber(callFrame, n2, p2);
+ RETURN_IF_EXCEPTION(scope, false);
wasNotString1 = v1.getPrimitiveNumber(callFrame, n1, p1);
}
+ RETURN_IF_EXCEPTION(scope, false);
if (wasNotString1 | wasNotString2)
return n1 <= n2;
