[webkit-changes] [243835] trunk

[ysuzuki]

Title: [243835] trunk

Revision

243835

Author

ysuz...@apple.com

Date

2019-04-03 16:29:48 -0700 (Wed, 03 Apr 2019)

Log Message

[JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
https://bugs.webkit.org/show_bug.cgi?id=196574

Reviewed by Saam Barati.

JSTests:

* stress/string-index-of-exception-check.js: Added.
(blurType):
(1.forEach):

Source/_javascript_Core:

This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.

* dfg/DFGOperations.cpp:

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGOperations.cpp

Added Paths

• trunk/JSTests/stress/string-index-of-exception-check.js

Diff

Modified: trunk/JSTests/ChangeLog (243834 => 243835)

--- trunk/JSTests/ChangeLog	2019-04-03 23:21:04 UTC (rev 243834)
+++ trunk/JSTests/ChangeLog	2019-04-03 23:29:48 UTC (rev 243835)
@@ -1,3 +1,14 @@
+2019-04-03  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
+        https://bugs.webkit.org/show_bug.cgi?id=196574
+
+        Reviewed by Saam Barati.
+
+        * stress/string-index-of-exception-check.js: Added.
+        (blurType):
+        (1.forEach):
+
 2019-03-29  Tadeu Zagallo  <tzaga...@apple.com>
 
         Assertion failed in JSC::createError

Added: trunk/JSTests/stress/string-index-of-exception-check.js (0 => 243835)

--- trunk/JSTests/stress/string-index-of-exception-check.js	                        (rev 0)
+++ trunk/JSTests/stress/string-index-of-exception-check.js	2019-04-03 23:29:48 UTC (rev 243835)
@@ -0,0 +1,18 @@
+//@ runDefault("--forceEagerCompilation=true")
+
+// This test should not crash.
+
+var count = 0;
+function blurType(value)
+{
+    if ((count++) & 0x1)
+        return {};
+    return value;
+}
+noInline(blurType);
+
+[0, 1].forEach(()=>{
+    [{}, 1, 2].forEach(x => {
+        ['xy'].indexOf(blurType('xy_'.substring(0, 2)));
+    });
+});

Modified: trunk/Source/_javascript_Core/ChangeLog (243834 => 243835)

--- trunk/Source/_javascript_Core/ChangeLog	2019-04-03 23:21:04 UTC (rev 243834)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-04-03 23:29:48 UTC (rev 243835)
@@ -1,3 +1,14 @@
+2019-04-03  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
+        https://bugs.webkit.org/show_bug.cgi?id=196574
+
+        Reviewed by Saam Barati.
+
+        This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
+
+        * dfg/DFGOperations.cpp:
+
 2019-04-03  Don Olmstead  <don.olmst...@sony.com>
 
         [CMake][WTF] Mirror XCode header directories

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (243834 => 243835)

--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2019-04-03 23:21:04 UTC (rev 243834)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2019-04-03 23:29:48 UTC (rev 243835)
@@ -2561,9 +2561,10 @@
         JSValue value = data[index].get();
         if (!value)
             continue;
-        if (JSValue::strictEqual(exec, searchElement, value))
+        bool isEqual = JSValue::strictEqual(exec, searchElement, value);
+        RETURN_IF_EXCEPTION(scope, { });
+        if (isEqual)
             return index;
-        RETURN_IF_EXCEPTION(scope, { });
     }
     return -1;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes