Diff
Modified: trunk/JSTests/ChangeLog (248801 => 248802)
--- trunk/JSTests/ChangeLog 2019-08-16 23:02:16 UTC (rev 248801)
+++ trunk/JSTests/ChangeLog 2019-08-16 23:49:27 UTC (rev 248802)
@@ -1,5 +1,18 @@
2019-08-16 Mark Lam <mark....@apple.com>
+ More missing exception checks in string comparison operators.
+ https://bugs.webkit.org/show_bug.cgi?id=200844
+ <rdar://problem/54378684>
+
+ Reviewed by Saam Barati.
+
+ * stress/missing-exception-check-in-string-greater-than-compare.js: Added.
+ * stress/missing-exception-check-in-string-greater-than-or-equal-compare.js: Added.
+ * stress/missing-exception-check-in-string-less-than-compare.js: Added.
+ * stress/missing-exception-check-in-string-less-than-or-equal-compare.js: Added.
+
+2019-08-16 Mark Lam <mark....@apple.com>
+
CodeBlock destructor should clear all of its watchpoints.
https://bugs.webkit.org/show_bug.cgi?id=200792
<rdar://problem/53947800>
Added: trunk/JSTests/stress/missing-exception-check-in-string-greater-than-compare.js (0 => 248802)
--- trunk/JSTests/stress/missing-exception-check-in-string-greater-than-compare.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-greater-than-compare.js 2019-08-16 23:49:27 UTC (rev 248802)
@@ -0,0 +1,21 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ '' > s1;
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
+
+exception = undefined;
+
+const s2 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s2 > '';
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
Added: trunk/JSTests/stress/missing-exception-check-in-string-greater-than-or-equal-compare.js (0 => 248802)
--- trunk/JSTests/stress/missing-exception-check-in-string-greater-than-or-equal-compare.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-greater-than-or-equal-compare.js 2019-08-16 23:49:27 UTC (rev 248802)
@@ -0,0 +1,21 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ '' >= s1;
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
+
+exception = undefined;
+
+const s2 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s2 >= '';
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
Added: trunk/JSTests/stress/missing-exception-check-in-string-less-than-compare.js (0 => 248802)
--- trunk/JSTests/stress/missing-exception-check-in-string-less-than-compare.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-less-than-compare.js 2019-08-16 23:49:27 UTC (rev 248802)
@@ -0,0 +1,21 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ '' < s1;
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
+
+exception = undefined;
+
+const s2 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s2 < '';
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
Added: trunk/JSTests/stress/missing-exception-check-in-string-less-than-or-equal-compare.js (0 => 248802)
--- trunk/JSTests/stress/missing-exception-check-in-string-less-than-or-equal-compare.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-string-less-than-or-equal-compare.js 2019-08-16 23:49:27 UTC (rev 248802)
@@ -0,0 +1,21 @@
+const s1 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ '' <= s1;
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
+
+exception = undefined;
+
+const s2 = (-1).toLocaleString().padEnd(2**31-1, 'aa');
+try {
+ s2 <= '';
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'Error: Out of memory')
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (248801 => 248802)
--- trunk/Source/_javascript_Core/ChangeLog 2019-08-16 23:02:16 UTC (rev 248801)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-08-16 23:49:27 UTC (rev 248802)
@@ -1,5 +1,17 @@
2019-08-16 Mark Lam <mark....@apple.com>
+ More missing exception checks in string comparison operators.
+ https://bugs.webkit.org/show_bug.cgi?id=200844
+ <rdar://problem/54378684>
+
+ Reviewed by Saam Barati.
+
+ * runtime/Operations.h:
+ (JSC::jsLess):
+ (JSC::jsLessEq):
+
+2019-08-16 Mark Lam <mark....@apple.com>
+
CodeBlock destructor should clear all of its watchpoints.
https://bugs.webkit.org/show_bug.cgi?id=200792
<rdar://problem/53947800>
Modified: trunk/Source/_javascript_Core/runtime/Operations.h (248801 => 248802)
--- trunk/Source/_javascript_Core/runtime/Operations.h 2019-08-16 23:02:16 UTC (rev 248801)
+++ trunk/Source/_javascript_Core/runtime/Operations.h 2019-08-16 23:49:27 UTC (rev 248802)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (por...@kde.org)
- * Copyright (C) 2002-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2002-2019 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -352,8 +352,13 @@
if (v1.isNumber() && v2.isNumber())
return v1.asNumber() < v2.asNumber();
- if (isJSString(v1) && isJSString(v2))
- return codePointCompareLessThan(asString(v1)->value(callFrame), asString(v2)->value(callFrame));
+ if (isJSString(v1) && isJSString(v2)) {
+ String s1 = asString(v1)->value(callFrame);
+ RETURN_IF_EXCEPTION(scope, false);
+ String s2 = asString(v2)->value(callFrame);
+ RETURN_IF_EXCEPTION(scope, false);
+ return codePointCompareLessThan(s1, s2);
+ }
double n1;
double n2;
@@ -397,8 +402,13 @@
if (v1.isNumber() && v2.isNumber())
return v1.asNumber() <= v2.asNumber();
- if (isJSString(v1) && isJSString(v2))
- return !codePointCompareLessThan(asString(v2)->value(callFrame), asString(v1)->value(callFrame));
+ if (isJSString(v1) && isJSString(v2)) {
+ String s1 = asString(v1)->value(callFrame);
+ RETURN_IF_EXCEPTION(scope, false);
+ String s2 = asString(v2)->value(callFrame);
+ RETURN_IF_EXCEPTION(scope, false);
+ return !codePointCompareLessThan(s2, s1);
+ }
double n1;
double n2;
