Title: [235491] trunk
- Revision
- 235491
- Author
- [email protected]
- Date
- 2018-08-29 18:20:20 -0700 (Wed, 29 Aug 2018)
Log Message
Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
https://bugs.webkit.org/show_bug.cgi?id=189132
<rdar://problem/42513068>
Reviewed by Saam Barati.
JSTests:
* stress/regress-189132.js: Added.
Source/_javascript_Core:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toPropertyKey const):
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomicString const):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (235490 => 235491)
--- trunk/JSTests/ChangeLog 2018-08-30 00:26:11 UTC (rev 235490)
+++ trunk/JSTests/ChangeLog 2018-08-30 01:20:20 UTC (rev 235491)
@@ -1,3 +1,13 @@
+2018-08-29 Mark Lam <[email protected]>
+
+ Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
+ https://bugs.webkit.org/show_bug.cgi?id=189132
+ <rdar://problem/42513068>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-189132.js: Added.
+
2018-08-27 Yusuke Suzuki <[email protected]>
[WebAssembly] Parse wasm modules in a streaming fashion
Added: trunk/JSTests/stress/regress-189132.js (0 => 235491)
--- trunk/JSTests/stress/regress-189132.js (rev 0)
+++ trunk/JSTests/stress/regress-189132.js 2018-08-30 01:20:20 UTC (rev 235491)
@@ -0,0 +1,12 @@
+try {
+ var a0 = '\ud801';
+ var a1 = [];
+ a2 = a0.padEnd(2147483644,'x');
+ a1[a2];
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
+
Modified: trunk/Source/_javascript_Core/ChangeLog (235490 => 235491)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-30 00:26:11 UTC (rev 235490)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-30 01:20:20 UTC (rev 235491)
@@ -1,3 +1,16 @@
+2018-08-29 Mark Lam <[email protected]>
+
+ Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
+ https://bugs.webkit.org/show_bug.cgi?id=189132
+ <rdar://problem/42513068>
+
+ Reviewed by Saam Barati.
+
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::toPropertyKey const):
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::resolveRopeToAtomicString const):
+
2018-08-29 Commit Queue <[email protected]>
Unreviewed, rolling out r235432 and r235436.
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h (235490 => 235491)
--- trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2018-08-30 00:26:11 UTC (rev 235490)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2018-08-30 01:20:20 UTC (rev 235491)
@@ -649,13 +649,17 @@
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- if (isString())
+ if (isString()) {
+ scope.release();
return asString(*this)->toIdentifier(exec);
+ }
JSValue primitive = toPrimitive(exec, PreferString);
RETURN_IF_EXCEPTION(scope, vm.propertyNames->emptyIdentifier);
- if (primitive.isSymbol())
+ if (primitive.isSymbol()) {
+ scope.release();
return Identifier::fromUid(asSymbol(primitive)->privateName());
+ }
scope.release();
return primitive.toString(exec)->toIdentifier(exec);
}
Modified: trunk/Source/_javascript_Core/runtime/JSString.cpp (235490 => 235491)
--- trunk/Source/_javascript_Core/runtime/JSString.cpp 2018-08-30 00:26:11 UTC (rev 235490)
+++ trunk/Source/_javascript_Core/runtime/JSString.cpp 2018-08-30 01:20:20 UTC (rev 235491)
@@ -178,8 +178,12 @@
void JSRopeString::resolveRopeToAtomicString(ExecState* exec) const
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
if (length() > maxLengthForOnStackResolve) {
resolveRope(exec);
+ RETURN_IF_EXCEPTION(scope, void());
m_value = AtomicString(m_value);
setIs8Bit(m_value.impl()->is8Bit());
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
