Diff
Modified: branches/safari-607-branch/JSTests/ChangeLog (245350 => 245351)
--- branches/safari-607-branch/JSTests/ChangeLog 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/JSTests/ChangeLog 2019-05-15 21:44:52 UTC (rev 245351)
@@ -1,5 +1,51 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r244996. rdar://problem/50754981
+
+ [JSC] We should check OOM for description string of Symbol
+ https://bugs.webkit.org/show_bug.cgi?id=197634
+
+ Reviewed by Keith Miller.
+
+ JSTests:
+
+ * stress/check-symbol-description-oom.js: Added.
+ (shouldThrow):
+
+ Source/_javascript_Core:
+
+ When resoling JSString for description of Symbol, we should check OOM error.
+ We also change JSValueMakeSymbol(..., nullptr) to returning a symbol value
+ without description, (1) to simplify the code and (2) give a way for JSC API
+ to create a symbol value without description.
+
+ * API/JSValueRef.cpp:
+ (JSValueMakeSymbol):
+ * API/tests/testapi.cpp:
+ (TestAPI::symbolsTypeof):
+ (TestAPI::symbolsDescription):
+ (testCAPIViaCpp):
+ * dfg/DFGOperations.cpp:
+ * runtime/Symbol.cpp:
+ (JSC::Symbol::createWithDescription):
+ * runtime/Symbol.h:
+ * runtime/SymbolConstructor.cpp:
+ (JSC::callSymbol):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244996 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-06 Yusuke Suzuki <[email protected]>
+
+ [JSC] We should check OOM for description string of Symbol
+ https://bugs.webkit.org/show_bug.cgi?id=197634
+
+ Reviewed by Keith Miller.
+
+ * stress/check-symbol-description-oom.js: Added.
+ (shouldThrow):
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r244865. rdar://problem/50753937
Baseline JIT should do argument value profiling after checking for stack overflow
Added: branches/safari-607-branch/JSTests/stress/check-symbol-description-oom.js (0 => 245351)
--- branches/safari-607-branch/JSTests/stress/check-symbol-description-oom.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/check-symbol-description-oom.js 2019-05-15 21:44:52 UTC (rev 245351)
@@ -0,0 +1,18 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+const s0 = (-1).toLocaleString();
+const s1 = s0.padEnd(2147483647, ' ');
+shouldThrow(() => Symbol(s1), `Error: Out of memory`);
Modified: branches/safari-607-branch/Source/_javascript_Core/API/JSValueRef.cpp (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/API/JSValueRef.cpp 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/API/JSValueRef.cpp 2019-05-15 21:44:52 UTC (rev 245351)
@@ -330,13 +330,12 @@
return nullptr;
}
ExecState* exec = toJS(ctx);
+ VM& vm = exec->vm();
JSLockHolder locker(exec);
- auto scope = DECLARE_CATCH_SCOPE(exec->vm());
- JSString* jsDescription = jsString(exec, description ? description->string() : String());
- RETURN_IF_EXCEPTION(scope, nullptr);
-
- return toRef(exec, Symbol::create(exec, jsDescription));
+ if (!description)
+ return toRef(exec, Symbol::create(vm));
+ return toRef(exec, Symbol::createWithDescription(vm, description->string()));
}
JSValueRef JSValueMakeString(JSContextRef ctx, JSStringRef string)
Modified: branches/safari-607-branch/Source/_javascript_Core/API/tests/testapi.cpp (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/API/tests/testapi.cpp 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/API/tests/testapi.cpp 2019-05-15 21:44:52 UTC (rev 245351)
@@ -129,6 +129,7 @@
void basicSymbol();
void symbolsTypeof();
+ void symbolsDescription();
void symbolsGetPropertyForKey();
void symbolsSetPropertyForKey();
void symbolsHasPropertyForKey();
@@ -267,6 +268,7 @@
}
static const char* isSymbolFunction = "(function isSymbol(symbol) { return typeof(symbol) === 'symbol'; })";
+static const char* getSymbolDescription = "(function getSymbolDescription(symbol) { return symbol.description; })";
static const char* getFunction = "(function get(object, key) { return object[key]; })";
static const char* setFunction = "(function set(object, key, value) { object[key] = value; })";
@@ -280,11 +282,32 @@
void TestAPI::symbolsTypeof()
{
- APIString description("dope");
- JSValueRef symbol = JSValueMakeSymbol(context, description);
- check(functionReturnsTrue(isSymbolFunction, symbol), "JSValueMakeSymbol makes a symbol value");
+ {
+ JSValueRef symbol = JSValueMakeSymbol(context, nullptr);
+ check(functionReturnsTrue(isSymbolFunction, symbol), "JSValueMakeSymbol makes a symbol value");
+ }
+ {
+ APIString description("dope");
+ JSValueRef symbol = JSValueMakeSymbol(context, description);
+ check(functionReturnsTrue(isSymbolFunction, symbol), "JSValueMakeSymbol makes a symbol value");
+ }
}
+void TestAPI::symbolsDescription()
+{
+ {
+ JSValueRef symbol = JSValueMakeSymbol(context, nullptr);
+ auto result = callFunction(getSymbolDescription, symbol);
+ check(JSValueIsStrictEqual(context, result.value(), JSValueMakeUndefined(context)), "JSValueMakeSymbol with nullptr description produces a symbol value without description");
+ }
+ {
+ APIString description("dope");
+ JSValueRef symbol = JSValueMakeSymbol(context, description);
+ auto result = callFunction(getSymbolDescription, symbol);
+ check(JSValueIsStrictEqual(context, result.value(), JSValueMakeString(context, description)), "JSValueMakeSymbol with description string produces a symbol value with description");
+ }
+}
+
void TestAPI::symbolsGetPropertyForKey()
{
auto objects = interestingObjects();
@@ -494,6 +517,7 @@
RUN(basicSymbol());
RUN(symbolsTypeof());
+ RUN(symbolsDescription());
RUN(symbolsGetPropertyForKey());
RUN(symbolsSetPropertyForKey());
RUN(symbolsHasPropertyForKey());
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-05-15 21:44:52 UTC (rev 245351)
@@ -1,5 +1,66 @@
2019-05-14 Kocsen Chung <[email protected]>
+ Cherry-pick r244996. rdar://problem/50754981
+
+ [JSC] We should check OOM for description string of Symbol
+ https://bugs.webkit.org/show_bug.cgi?id=197634
+
+ Reviewed by Keith Miller.
+
+ JSTests:
+
+ * stress/check-symbol-description-oom.js: Added.
+ (shouldThrow):
+
+ Source/_javascript_Core:
+
+ When resoling JSString for description of Symbol, we should check OOM error.
+ We also change JSValueMakeSymbol(..., nullptr) to returning a symbol value
+ without description, (1) to simplify the code and (2) give a way for JSC API
+ to create a symbol value without description.
+
+ * API/JSValueRef.cpp:
+ (JSValueMakeSymbol):
+ * API/tests/testapi.cpp:
+ (TestAPI::symbolsTypeof):
+ (TestAPI::symbolsDescription):
+ (testCAPIViaCpp):
+ * dfg/DFGOperations.cpp:
+ * runtime/Symbol.cpp:
+ (JSC::Symbol::createWithDescription):
+ * runtime/Symbol.h:
+ * runtime/SymbolConstructor.cpp:
+ (JSC::callSymbol):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244996 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-06 Yusuke Suzuki <[email protected]>
+
+ [JSC] We should check OOM for description string of Symbol
+ https://bugs.webkit.org/show_bug.cgi?id=197634
+
+ Reviewed by Keith Miller.
+
+ When resoling JSString for description of Symbol, we should check OOM error.
+ We also change JSValueMakeSymbol(..., nullptr) to returning a symbol value
+ without description, (1) to simplify the code and (2) give a way for JSC API
+ to create a symbol value without description.
+
+ * API/JSValueRef.cpp:
+ (JSValueMakeSymbol):
+ * API/tests/testapi.cpp:
+ (TestAPI::symbolsTypeof):
+ (TestAPI::symbolsDescription):
+ (testCAPIViaCpp):
+ * dfg/DFGOperations.cpp:
+ * runtime/Symbol.cpp:
+ (JSC::Symbol::createWithDescription):
+ * runtime/Symbol.h:
+ * runtime/SymbolConstructor.cpp:
+ (JSC::callSymbol):
+
+2019-05-14 Kocsen Chung <[email protected]>
+
Cherry-pick r244865. rdar://problem/50753937
Baseline JIT should do argument value profiling after checking for stack overflow
Modified: branches/safari-607-branch/Source/_javascript_Core/dfg/DFGOperations.cpp (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-05-15 21:44:52 UTC (rev 245351)
@@ -2272,8 +2272,12 @@
{
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
+ auto scope = DECLARE_THROW_SCOPE(vm);
- return Symbol::create(exec, description);
+ String string = description->value(exec);
+ RETURN_IF_EXCEPTION(scope, nullptr);
+
+ return Symbol::createWithDescription(vm, string);
}
JSCell* JIT_OPERATION operationNewStringObject(ExecState* exec, JSString* string, Structure* structure)
Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/Symbol.cpp (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/runtime/Symbol.cpp 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/Symbol.cpp 2019-05-15 21:44:52 UTC (rev 245351)
@@ -116,11 +116,9 @@
return symbol;
}
-Symbol* Symbol::create(ExecState* exec, JSString* description)
+Symbol* Symbol::createWithDescription(VM& vm, const String& description)
{
- VM& vm = exec->vm();
- String desc = description->value(exec);
- Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, desc);
+ Symbol* symbol = new (NotNull, allocateCell<Symbol>(vm.heap)) Symbol(vm, description);
symbol->finishCreation(vm);
return symbol;
}
Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/Symbol.h (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/runtime/Symbol.h 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/Symbol.h 2019-05-15 21:44:52 UTC (rev 245351)
@@ -52,7 +52,7 @@
}
static Symbol* create(VM&);
- static Symbol* create(ExecState*, JSString* description);
+ static Symbol* createWithDescription(VM&, const String&);
JS_EXPORT_PRIVATE static Symbol* create(VM&, SymbolImpl& uid);
const PrivateName& privateName() const { return m_privateName; }
Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/SymbolConstructor.cpp (245350 => 245351)
--- branches/safari-607-branch/Source/_javascript_Core/runtime/SymbolConstructor.cpp 2019-05-15 21:44:48 UTC (rev 245350)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/SymbolConstructor.cpp 2019-05-15 21:44:52 UTC (rev 245351)
@@ -79,10 +79,16 @@
static EncodedJSValue JSC_HOST_CALL callSymbol(ExecState* exec)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
JSValue description = exec->argument(0);
if (description.isUndefined())
- return JSValue::encode(Symbol::create(exec->vm()));
- return JSValue::encode(Symbol::create(exec, description.toString(exec)));
+ return JSValue::encode(Symbol::create(vm));
+
+ String string = description.toWTFString(exec);
+ RETURN_IF_EXCEPTION(scope, { });
+ return JSValue::encode(Symbol::createWithDescription(vm, string));
}
EncodedJSValue JSC_HOST_CALL symbolConstructorFor(ExecState* exec)
