Title: [242667] trunk
- Revision
- 242667
- Author
- [email protected]
- Date
- 2019-03-08 17:10:33 -0800 (Fri, 08 Mar 2019)
Log Message
Stack overflow crash in JSC::JSObject::hasInstance.
https://bugs.webkit.org/show_bug.cgi?id=195458
<rdar://problem/48710195>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/stack-overflow-in-custom-hasInstance.js: Added.
Source/_javascript_Core:
* runtime/JSObject.cpp:
(JSC::JSObject::hasInstance):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (242666 => 242667)
--- trunk/JSTests/ChangeLog 2019-03-09 00:59:40 UTC (rev 242666)
+++ trunk/JSTests/ChangeLog 2019-03-09 01:10:33 UTC (rev 242667)
@@ -1,3 +1,13 @@
+2019-03-08 Mark Lam <[email protected]>
+
+ Stack overflow crash in JSC::JSObject::hasInstance.
+ https://bugs.webkit.org/show_bug.cgi?id=195458
+ <rdar://problem/48710195>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/stack-overflow-in-custom-hasInstance.js: Added.
+
2019-03-08 Tadeu Zagallo <[email protected]>
op_check_tdz does not def its argument
Added: trunk/JSTests/stress/stack-overflow-in-custom-hasInstance.js (0 => 242667)
--- trunk/JSTests/stress/stack-overflow-in-custom-hasInstance.js (rev 0)
+++ trunk/JSTests/stress/stack-overflow-in-custom-hasInstance.js 2019-03-09 01:10:33 UTC (rev 242667)
@@ -0,0 +1,28 @@
+//@ requireOptions("--maxPerThreadStackUsage=147456", "--exceptionStackTraceLimit=1", "--defaultErrorStackTraceLimit=1")
+
+function f() {}
+
+var fn = f;
+for (var i = 0; i < 100000; ++i) {
+ fn = fn.bind();
+
+ // Ensure we don't fallback to @@hasInstance from %FunctionPrototype%.
+ Object.defineProperty(fn, Symbol.hasInstance, {
+ value: undefined, writable: true, enumerable: true, writable: true
+ });
+
+ // Prevent generating overlong names of the form "bound bound bound [...] f".
+ Object.defineProperty(fn, "name", {
+ value: "", writable: true, enumerable: true, writable: true
+ });
+}
+
+var exception;
+try {
+ ({}) instanceof fn;
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (242666 => 242667)
--- trunk/Source/_javascript_Core/ChangeLog 2019-03-09 00:59:40 UTC (rev 242666)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-03-09 01:10:33 UTC (rev 242667)
@@ -1,3 +1,14 @@
+2019-03-08 Mark Lam <[email protected]>
+
+ Stack overflow crash in JSC::JSObject::hasInstance.
+ https://bugs.webkit.org/show_bug.cgi?id=195458
+ <rdar://problem/48710195>
+
+ Reviewed by Yusuke Suzuki.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::hasInstance):
+
2019-03-08 Robin Morisset <[email protected]>
IntegerCheckCombiningPhase::Range can be shrunk by 8 bytes
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (242666 => 242667)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2019-03-09 00:59:40 UTC (rev 242666)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2019-03-09 01:10:33 UTC (rev 242667)
@@ -46,6 +46,7 @@
#include "ProxyObject.h"
#include "SlotVisitorInlines.h"
#include "TypeError.h"
+#include "VMInlines.h"
#include <math.h>
#include <wtf/Assertions.h>
@@ -2245,8 +2246,13 @@
RETURN_IF_EXCEPTION(scope, false);
RELEASE_AND_RETURN(scope, defaultHasInstance(exec, value, prototype));
}
- if (info.implementsHasInstance())
+ if (info.implementsHasInstance()) {
+ if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
+ throwStackOverflowError(exec, scope);
+ return false;
+ }
RELEASE_AND_RETURN(scope, methodTable(vm)->customHasInstance(this, exec, value));
+ }
throwException(exec, scope, createInvalidInstanceofParameterErrorNotFunction(exec, this));
return false;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
