Diff
Modified: trunk/JSTests/ChangeLog (239226 => 239227)
--- trunk/JSTests/ChangeLog 2018-12-14 20:41:31 UTC (rev 239226)
+++ trunk/JSTests/ChangeLog 2018-12-14 20:53:08 UTC (rev 239227)
@@ -1,3 +1,12 @@
+2018-12-14 Keith Miller <[email protected]>
+
+ Callers of JSString::getIndex should check for OOM exceptions
+ https://bugs.webkit.org/show_bug.cgi?id=192709
+
+ Reviewed by Mark Lam.
+
+ * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
+
2018-12-13 Mark Lam <[email protected]>
Add a missing exception check.
Added: trunk/JSTests/stress/StringObject-define-length-getter-rope-string-oom.js (0 => 239227)
--- trunk/JSTests/stress/StringObject-define-length-getter-rope-string-oom.js (rev 0)
+++ trunk/JSTests/stress/StringObject-define-length-getter-rope-string-oom.js 2018-12-14 20:53:08 UTC (rev 239227)
@@ -0,0 +1,5 @@
+try {
+ let char16 = decodeURI('%E7%9A%84');
+ let rope = char16.padEnd(2147483644, 1);
+ rope.__defineGetter__(256, function () {});
+} catch { }
Modified: trunk/Source/_javascript_Core/ChangeLog (239226 => 239227)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-14 20:41:31 UTC (rev 239226)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-14 20:53:08 UTC (rev 239227)
@@ -1,3 +1,25 @@
+2018-12-14 Keith Miller <[email protected]>
+
+ Callers of JSString::getIndex should check for OOM exceptions
+ https://bugs.webkit.org/show_bug.cgi?id=192709
+
+ Reviewed by Mark Lam.
+
+ This patch also allows Strings to OOM when the StringObject wrapper
+ attempts to look up an own property on the string.
+
+ Remove isExtensibleImpl because it's only used in one place and call
+ isStructureExtensible instead.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::isExtensible):
+ * runtime/JSObject.h:
+ (JSC::JSObject::isExtensibleImpl): Deleted.
+ * runtime/JSString.h:
+ (JSC::JSString::getStringPropertySlot):
+ * runtime/StringObject.cpp:
+ (JSC::StringObject::defineOwnProperty):
+
2018-12-13 Fujii Hironori <[email protected]>
[WinCairo][Clang] DLLLauncherMain.cpp: warning: unused function 'prependPath' and 'appleApplicationSupportDirectory'
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (239226 => 239227)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-12-14 20:41:31 UTC (rev 239226)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-12-14 20:53:08 UTC (rev 239227)
@@ -2431,7 +2431,7 @@
bool JSObject::isExtensible(JSObject* obj, ExecState* exec)
{
- return obj->isExtensibleImpl(exec->vm());
+ return obj->isStructureExtensible(exec->vm());
}
bool JSObject::isExtensible(ExecState* exec)
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (239226 => 239227)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2018-12-14 20:41:31 UTC (rev 239226)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2018-12-14 20:53:08 UTC (rev 239227)
@@ -753,7 +753,6 @@
private:
NonPropertyTransition suggestedArrayStorageTransition(VM&) const;
- ALWAYS_INLINE bool isExtensibleImpl(VM& vm) { return isStructureExtensible(vm); }
public:
// You should only call isStructureExtensible() when:
// - Performing this check in a way that isn't described in the specification
Modified: trunk/Source/_javascript_Core/runtime/JSString.h (239226 => 239227)
--- trunk/Source/_javascript_Core/runtime/JSString.h 2018-12-14 20:41:31 UTC (rev 239226)
+++ trunk/Source/_javascript_Core/runtime/JSString.h 2018-12-14 20:53:08 UTC (rev 239227)
@@ -687,6 +687,8 @@
ALWAYS_INLINE bool JSString::getStringPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
if (propertyName == vm.propertyNames->length) {
slot.setValue(this, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, jsNumber(length()));
return true;
@@ -694,7 +696,9 @@
std::optional<uint32_t> index = parseIndex(propertyName);
if (index && index.value() < length()) {
- slot.setValue(this, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, getIndex(exec, index.value()));
+ JSValue value = getIndex(exec, index.value());
+ RETURN_IF_EXCEPTION(scope, false);
+ slot.setValue(this, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, value);
return true;
}
@@ -703,8 +707,13 @@
ALWAYS_INLINE bool JSString::getStringPropertySlot(ExecState* exec, unsigned propertyName, PropertySlot& slot)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
if (propertyName < length()) {
- slot.setValue(this, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, getIndex(exec, propertyName));
+ JSValue value = getIndex(exec, propertyName);
+ RETURN_IF_EXCEPTION(scope, false);
+ slot.setValue(this, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly, value);
return true;
}
Modified: trunk/Source/_javascript_Core/runtime/StringObject.cpp (239226 => 239227)
--- trunk/Source/_javascript_Core/runtime/StringObject.cpp 2018-12-14 20:41:31 UTC (rev 239226)
+++ trunk/Source/_javascript_Core/runtime/StringObject.cpp 2018-12-14 20:53:08 UTC (rev 239227)
@@ -114,7 +114,8 @@
// https://tc39.github.io/ecma262/#sec-string-exotic-objects-getownproperty-p
PropertyDescriptor current;
bool isCurrentDefined = thisObject->getOwnPropertyDescriptor(exec, propertyName, current);
- ASSERT(isCurrentDefined);
+ EXCEPTION_ASSERT(!scope.exception() == isCurrentDefined);
+ RETURN_IF_EXCEPTION(scope, false);
bool isExtensible = thisObject->isExtensible(exec);
RETURN_IF_EXCEPTION(scope, false);
RELEASE_AND_RETURN(scope, validateAndApplyPropertyDescriptor(exec, nullptr, propertyName, isExtensible, descriptor, isCurrentDefined, current, throwException));
