[webkit-changes] [231428] releases/WebKitGTK/webkit-2.20

[carlosgc]

Title: [231428] releases/WebKitGTK/webkit-2.20

Revision

231428

Author

carlo...@webkit.org

Date

2018-05-07 02:29:41 -0700 (Mon, 07 May 2018)

Log Message

Merge r230980 - fromCharCode is missing some exception checks
https://bugs.webkit.org/show_bug.cgi?id=184952

Reviewed by Saam Barati.

JSTests:

* stress/fromCharCode-exception-check.js: Added.
(get catch):

Source/_javascript_Core:

I also removed the pointless slow path function and moved it into the
main function.

* runtime/StringConstructor.cpp:
(JSC::stringFromCharCode):
(JSC::stringFromCharCodeSlowCase): Deleted.

Modified Paths

• releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog
• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/StringConstructor.cpp

Added Paths

• releases/WebKitGTK/webkit-2.20/JSTests/stress/fromCharCode-exception-check.js

Diff

Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (231427 => 231428)

--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-05-07 09:29:35 UTC (rev 231427)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-05-07 09:29:41 UTC (rev 231428)
@@ -1,3 +1,13 @@
+2018-04-24  Keith Miller  <keith_mil...@apple.com>
+
+        fromCharCode is missing some exception checks
+        https://bugs.webkit.org/show_bug.cgi?id=184952
+
+        Reviewed by Saam Barati.
+
+        * stress/fromCharCode-exception-check.js: Added.
+        (get catch):
+
 2018-04-04  Filip Pizlo  <fpi...@apple.com>
 
         REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain

Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/fromCharCode-exception-check.js (0 => 231428)

--- releases/WebKitGTK/webkit-2.20/JSTests/stress/fromCharCode-exception-check.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/fromCharCode-exception-check.js	2018-05-07 09:29:41 UTC (rev 231428)
@@ -0,0 +1,8 @@
+// This shouldn't crash.
+
+try {
+    String.fromCharCode(Symbol(), new Proxy({}, { get() { } }));
+} catch (e) {
+    if (!(e instanceof TypeError) || e.message !== "Cannot convert a symbol to a number")
+        throw new Error("bad error type or message" + e);
+}

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (231427 => 231428)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-05-07 09:29:35 UTC (rev 231427)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-05-07 09:29:41 UTC (rev 231428)
@@ -1,3 +1,17 @@
+2018-04-24  Keith Miller  <keith_mil...@apple.com>
+
+        fromCharCode is missing some exception checks
+        https://bugs.webkit.org/show_bug.cgi?id=184952
+
+        Reviewed by Saam Barati.
+
+        I also removed the pointless slow path function and moved it into the
+        main function.
+
+        * runtime/StringConstructor.cpp:
+        (JSC::stringFromCharCode):
+        (JSC::stringFromCharCodeSlowCase): Deleted.
+
 2018-04-23  Filip Pizlo  <fpi...@apple.com>
 
         Unreviewed, revert accidental change to verbose flag.

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/StringConstructor.cpp (231427 => 231428)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/StringConstructor.cpp	2018-05-07 09:29:35 UTC (rev 231427)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/StringConstructor.cpp	2018-05-07 09:29:41 UTC (rev 231428)
@@ -70,23 +70,29 @@
 
 // ------------------------------ Functions --------------------------------
 
-static NEVER_INLINE JSValue stringFromCharCodeSlowCase(ExecState* exec)
+static EncodedJSValue JSC_HOST_CALL stringFromCharCode(ExecState* exec)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     unsigned length = exec->argumentCount();
+    if (LIKELY(length == 1)) {
+        unsigned code = exec->uncheckedArgument(0).toUInt32(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        scope.release();
+        return JSValue::encode(jsSingleCharacterString(exec, code));
+    }
+
     UChar* buf;
     auto impl = StringImpl::createUninitialized(length, buf);
-    for (unsigned i = 0; i < length; ++i)
+    for (unsigned i = 0; i < length; ++i) {
         buf[i] = static_cast<UChar>(exec->uncheckedArgument(i).toUInt32(exec));
-    return jsString(exec, WTFMove(impl));
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    }
+    scope.release();
+    return JSValue::encode(jsString(exec, WTFMove(impl)));
 }
 
-static EncodedJSValue JSC_HOST_CALL stringFromCharCode(ExecState* exec)
-{
-    if (LIKELY(exec->argumentCount() == 1))
-        return JSValue::encode(jsSingleCharacterString(exec, exec->uncheckedArgument(0).toUInt32(exec)));
-    return JSValue::encode(stringFromCharCodeSlowCase(exec));
-}
-
 JSCell* JSC_HOST_CALL stringFromCharCode(ExecState* exec, int32_t arg)
 {
     return jsSingleCharacterString(exec, arg);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes