Title: [261773] trunk
- Revision
- 261773
- Author
- [email protected]
- Date
- 2020-05-15 18:23:40 -0700 (Fri, 15 May 2020)
Log Message
[JSC] getFunctionRealm should not use recursion
https://bugs.webkit.org/show_bug.cgi?id=211965
<rdar://problem/63268287>
Reviewed by Saam Barati.
JSTests:
* stress/get-function-realm-not-doing-recursion.js: Added.
(canThrow):
(const.emptyFunction):
Source/_javascript_Core:
This patch avoids using recursion in getFunctionRealm to avoid stack-overflow.
* runtime/InternalFunction.cpp:
(JSC::getFunctionRealm):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (261772 => 261773)
--- trunk/JSTests/ChangeLog 2020-05-16 01:17:21 UTC (rev 261772)
+++ trunk/JSTests/ChangeLog 2020-05-16 01:23:40 UTC (rev 261773)
@@ -1,3 +1,15 @@
+2020-05-15 Yusuke Suzuki <[email protected]>
+
+ [JSC] getFunctionRealm should not use recursion
+ https://bugs.webkit.org/show_bug.cgi?id=211965
+ <rdar://problem/63268287>
+
+ Reviewed by Saam Barati.
+
+ * stress/get-function-realm-not-doing-recursion.js: Added.
+ (canThrow):
+ (const.emptyFunction):
+
2020-05-15 Paulo Matos <[email protected]>
Skip tests in ARM and MIPS post r261667
Added: trunk/JSTests/stress/get-function-realm-not-doing-recursion.js (0 => 261773)
--- trunk/JSTests/stress/get-function-realm-not-doing-recursion.js (rev 0)
+++ trunk/JSTests/stress/get-function-realm-not-doing-recursion.js 2020-05-16 01:23:40 UTC (rev 261773)
@@ -0,0 +1,31 @@
+//@ skip if $buildType != "debug"
+//@ runDefault("--useConcurrentJIT=0")
+
+function canThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ print(error.message);
+ }
+ if (errorThrown && String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+ return false;
+}
+
+const emptyFunction = function() {};
+
+function makeLongProxyChain() {
+ let p = new Proxy(emptyFunction, {});
+ for (let i = 0; i < 200000; i++)
+ p = new Proxy(p, {});
+ return p;
+}
+
+let p = makeLongProxyChain();
+canThrow(() => {
+ Reflect.construct(Object, [], p);
+}, `RangeError: Maximum call stack size exceeded.`);
Modified: trunk/Source/_javascript_Core/ChangeLog (261772 => 261773)
--- trunk/Source/_javascript_Core/ChangeLog 2020-05-16 01:17:21 UTC (rev 261772)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-05-16 01:23:40 UTC (rev 261773)
@@ -1,3 +1,16 @@
+2020-05-15 Yusuke Suzuki <[email protected]>
+
+ [JSC] getFunctionRealm should not use recursion
+ https://bugs.webkit.org/show_bug.cgi?id=211965
+ <rdar://problem/63268287>
+
+ Reviewed by Saam Barati.
+
+ This patch avoids using recursion in getFunctionRealm to avoid stack-overflow.
+
+ * runtime/InternalFunction.cpp:
+ (JSC::getFunctionRealm):
+
2020-05-15 Keith Miller <[email protected]>
Unreviewed, fix internal arm64e build.
Modified: trunk/Source/_javascript_Core/runtime/InternalFunction.cpp (261772 => 261773)
--- trunk/Source/_javascript_Core/runtime/InternalFunction.cpp 2020-05-16 01:17:21 UTC (rev 261772)
+++ trunk/Source/_javascript_Core/runtime/InternalFunction.cpp 2020-05-16 01:23:40 UTC (rev 261773)
@@ -157,20 +157,26 @@
{
ASSERT(object->isCallable(vm));
- if (object->inherits<JSBoundFunction>(vm))
- return getFunctionRealm(vm, jsCast<JSBoundFunction*>(object)->targetFunction());
+ while (true) {
+ if (object->inherits<JSBoundFunction>(vm)) {
+ object = jsCast<JSBoundFunction*>(object)->targetFunction();
+ continue;
+ }
- if (object->type() == ProxyObjectType) {
- auto* proxy = jsCast<ProxyObject*>(object);
- // Per step 4.a, a TypeError should be thrown for revoked Proxy, yet we skip it since:
- // a) It is barely observable anyway: "prototype" lookup in createSubclassStructure() will throw for revoked Proxy.
- // b) Throwing getFunctionRealm() will restrict calling it inline as an argument of createSubclassStructure().
- // c) There is ongoing discussion on removing it: https://github.com/tc39/ecma262/issues/1798.
- if (!proxy->isRevoked())
- return getFunctionRealm(vm, proxy->target());
+ if (object->type() == ProxyObjectType) {
+ auto* proxy = jsCast<ProxyObject*>(object);
+ // Per step 4.a, a TypeError should be thrown for revoked Proxy, yet we skip it since:
+ // a) It is barely observable anyway: "prototype" lookup in createSubclassStructure() will throw for revoked Proxy.
+ // b) Throwing getFunctionRealm() will restrict calling it inline as an argument of createSubclassStructure().
+ // c) There is ongoing discussion on removing it: https://github.com/tc39/ecma262/issues/1798.
+ if (!proxy->isRevoked()) {
+ object = proxy->target();
+ continue;
+ }
+ }
+
+ return object->globalObject(vm);
}
-
- return object->globalObject(vm);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
