Diff
Modified: trunk/JSTests/ChangeLog (253457 => 253458)
--- trunk/JSTests/ChangeLog 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/JSTests/ChangeLog 2019-12-13 01:11:15 UTC (rev 253458)
@@ -1,5 +1,15 @@
2019-12-12 Mark Lam <[email protected]>
+ Fix missing exception in JSValue::toWTFStringSlowCase().
+ https://bugs.webkit.org/show_bug.cgi?id=205176
+ <rdar://problem/57871899>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js: Added.
+
+2019-12-12 Mark Lam <[email protected]>
+
Fix missing exception check in JSON Stringifier's gap function.
https://bugs.webkit.org/show_bug.cgi?id=205171
<rdar://problem/57871842>
Added: trunk/JSTests/stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js (0 => 253458)
--- trunk/JSTests/stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js 2019-12-13 01:11:15 UTC (rev 253458)
@@ -0,0 +1,11 @@
+//@ skip if $memoryLimited
+//@ runDefault
+
+try {
+ RegExp({toString: ()=> ''.padEnd(2**31-1, 10 .toLocaleString()) });
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "Error: Out of memory")
+ throw "FAILED";
Modified: trunk/Source/_javascript_Core/ChangeLog (253457 => 253458)
--- trunk/Source/_javascript_Core/ChangeLog 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-12-13 01:11:15 UTC (rev 253458)
@@ -1,3 +1,25 @@
+2019-12-12 Mark Lam <[email protected]>
+
+ Fix missing exception in JSValue::toWTFStringSlowCase().
+ https://bugs.webkit.org/show_bug.cgi?id=205176
+ <rdar://problem/57871899>
+
+ Reviewed by Yusuke Suzuki.
+
+ Also fix all the new exception check failures that fall out of change.
+ Also replaced some ASSERTs with EXCEPTION_ASSERT so that we can run the exception
+ check validation on a release build.
+
+ * dfg/DFGOperations.cpp:
+ * jsc.cpp:
+ (dumpException):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncPush):
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::createError):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::toWTFStringSlowCase const):
+
2019-12-12 Yusuke Suzuki <[email protected]>
[JSC] Lock-down JSGlobalObject and derived classes in IsoSubspace
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (253457 => 253458)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-12-13 01:11:15 UTC (rev 253458)
@@ -2375,7 +2375,7 @@
return JSValue::encode(jsBoolean(false));
JSObject* base = baseValue.toObject(globalObject);
- ASSERT(!scope.exception() || !base);
+ EXCEPTION_ASSERT(!scope.exception() || !base);
if (!base)
return JSValue::encode(JSValue());
auto propertyName = asString(property)->toIdentifier(globalObject);
Modified: trunk/Source/_javascript_Core/jsc.cpp (253457 => 253458)
--- trunk/Source/_javascript_Core/jsc.cpp 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/Source/_javascript_Core/jsc.cpp 2019-12-13 01:11:15 UTC (rev 253458)
@@ -2514,6 +2514,7 @@
} while (false)
auto exceptionString = exception.toWTFString(globalObject);
+ CHECK_EXCEPTION();
Expected<CString, UTF8ConversionError> expectedCString = exceptionString.tryGetUtf8();
if (expectedCString)
printf("Exception: %s\n", expectedCString.value().data());
@@ -2538,16 +2539,20 @@
JSValue stackValue = exception.get(globalObject, stackID);
CHECK_EXCEPTION();
- if (nameValue.toWTFString(globalObject) == "SyntaxError"
- && (!fileNameValue.isUndefinedOrNull() || !lineNumberValue.isUndefinedOrNull())) {
- printf(
- "at %s:%s\n",
- fileNameValue.toWTFString(globalObject).utf8().data(),
- lineNumberValue.toWTFString(globalObject).utf8().data());
+ auto nameString = nameValue.toWTFString(globalObject);
+ CHECK_EXCEPTION();
+
+ if (nameString == "SyntaxError" && (!fileNameValue.isUndefinedOrNull() || !lineNumberValue.isUndefinedOrNull())) {
+ auto fileNameString = fileNameValue.toWTFString(globalObject);
+ CHECK_EXCEPTION();
+ auto lineNumberString = lineNumberValue.toWTFString(globalObject);
+ CHECK_EXCEPTION();
+ printf("at %s:%s\n", fileNameString.utf8().data(), lineNumberString.utf8().data());
}
if (!stackValue.isUndefinedOrNull()) {
auto stackString = stackValue.toWTFString(globalObject);
+ CHECK_EXCEPTION();
if (stackString.length())
printf("%s\n", stackString.utf8().data());
}
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (253457 => 253458)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2019-12-13 01:11:15 UTC (rev 253458)
@@ -889,7 +889,9 @@
thisObj->methodTable(vm)->putByIndex(thisObj, globalObject, length + n, callFrame->uncheckedArgument(n), true);
else {
PutPropertySlot slot(thisObj);
- Identifier propertyName = Identifier::fromString(vm, JSValue(static_cast<int64_t>(length) + static_cast<int64_t>(n)).toWTFString(globalObject));
+ auto string = JSValue(static_cast<int64_t>(length) + static_cast<int64_t>(n)).toWTFString(globalObject);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ Identifier propertyName = Identifier::fromString(vm, string);
thisObj->methodTable(vm)->put(thisObj, globalObject, propertyName, callFrame->uncheckedArgument(n), slot);
}
RETURN_IF_EXCEPTION(scope, encodedJSValue());
Modified: trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp (253457 => 253458)
--- trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2019-12-13 01:11:15 UTC (rev 253458)
@@ -266,7 +266,7 @@
auto scope = DECLARE_CATCH_SCOPE(vm);
String valueDescription = errorDescriptionForValue(globalObject, value);
- ASSERT(scope.exception() || !!valueDescription);
+ EXCEPTION_ASSERT(scope.exception() || !!valueDescription);
if (!valueDescription) {
scope.clearException();
return createOutOfMemoryError(globalObject);
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (253457 => 253458)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2019-12-13 01:09:08 UTC (rev 253457)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2019-12-13 01:11:15 UTC (rev 253458)
@@ -404,6 +404,7 @@
String JSValue::toWTFStringSlowCase(JSGlobalObject* globalObject) const
{
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
if (isInt32())
return vm.numericStrings.add(asInt32());
if (isDouble())
@@ -416,7 +417,9 @@
return vm.propertyNames->nullKeyword.string();
if (isUndefined())
return vm.propertyNames->undefinedKeyword.string();
- return toString(globalObject)->value(globalObject);
+ JSString* string = toString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ RELEASE_AND_RETURN(scope, string->value(globalObject));
}
} // namespace JSC
