Diff
Modified: trunk/JSTests/ChangeLog (263904 => 263905)
--- trunk/JSTests/ChangeLog 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/JSTests/ChangeLog 2020-07-03 20:06:51 UTC (rev 263905)
@@ -1,5 +1,16 @@
2020-07-03 Yusuke Suzuki <[email protected]>
+ [JSC] Add exception checks before and after viewWithUnderlyingString
+ https://bugs.webkit.org/show_bug.cgi?id=213923
+ <rdar://problem/65068473>
+
+ Reviewed by Sam Weinig.
+
+ * stress/exception-checks-before-and-after-viewwithunderlyingstring.js: Added.
+ (shouldThrow):
+
+2020-07-03 Yusuke Suzuki <[email protected]>
+
[JSC] Add exception checks in JSStringBuilder and Array#join
https://bugs.webkit.org/show_bug.cgi?id=213915
<rdar://problem/64878225>
Added: trunk/JSTests/stress/exception-checks-before-and-after-viewwithunderlyingstring.js (0 => 263905)
--- trunk/JSTests/stress/exception-checks-before-and-after-viewwithunderlyingstring.js (rev 0)
+++ trunk/JSTests/stress/exception-checks-before-and-after-viewwithunderlyingstring.js 2020-07-03 20:06:51 UTC (rev 263905)
@@ -0,0 +1,31 @@
+//@ skip if $memoryLimited
+
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldThrow(() => {
+ let x = { toString: () => ''.padEnd(2 ** 31 - 1, 10..toLocaleString()) };
+ JSON.parse(x);
+}, `RangeError: Out of memory`);
+
+shouldThrow(() => {
+ let x = { toString: () => ''.padEnd(2 ** 31 - 1, 10..toLocaleString()) };
+ print(x);
+}, `RangeError: Out of memory`);
+
+shouldThrow(() => {
+ let x = { toString: () => ''.padEnd(2 ** 31 - 1, 10..toLocaleString()) };
+ debug(x);
+}, `RangeError: Out of memory`);
Modified: trunk/Source/_javascript_Core/ChangeLog (263904 => 263905)
--- trunk/Source/_javascript_Core/ChangeLog 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-07-03 20:06:51 UTC (rev 263905)
@@ -1,5 +1,28 @@
2020-07-03 Yusuke Suzuki <[email protected]>
+ [JSC] Add exception checks before and after viewWithUnderlyingString
+ https://bugs.webkit.org/show_bug.cgi?id=213923
+ <rdar://problem/65068473>
+
+ Reviewed by Sam Weinig.
+
+ This patch inserts missing exception checks before and after viewWithUnderlyingString.
+
+ * jsc.cpp:
+ (printInternal):
+ (functionDebug):
+ * runtime/FunctionConstructor.cpp:
+ (JSC::constructFunctionSkippingEvalEnabledCheck):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncParseFloat):
+ * runtime/JSONObject.cpp:
+ (JSC::JSONProtoFuncParse):
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncCharAt):
+ (JSC::stringProtoFuncCharCodeAt):
+
+2020-07-03 Yusuke Suzuki <[email protected]>
+
[JSC] Add exception checks in JSStringBuilder and Array#join
https://bugs.webkit.org/show_bug.cgi?id=213915
<rdar://problem/64878225>
Modified: trunk/Source/_javascript_Core/jsc.cpp (263904 => 263905)
--- trunk/Source/_javascript_Core/jsc.cpp 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/Source/_javascript_Core/jsc.cpp 2020-07-03 20:06:51 UTC (rev 263905)
@@ -1231,10 +1231,12 @@
if (EOF == fputc(' ', out))
goto fail;
- auto viewWithString = callFrame->uncheckedArgument(i).toString(globalObject)->viewWithUnderlyingString(globalObject);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ auto* jsString = callFrame->uncheckedArgument(i).toString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ auto viewWithString = jsString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
auto string = cStringFromViewWithString(globalObject, scope, viewWithString);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ RETURN_IF_EXCEPTION(scope, { });
fwrite(string.data(), sizeof(char), string.length(), out);
if (ferror(out))
goto fail;
@@ -1253,10 +1255,12 @@
{
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- auto viewWithString = callFrame->argument(0).toString(globalObject)->viewWithUnderlyingString(globalObject);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ auto* jsString = callFrame->argument(0).toString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ auto viewWithString = jsString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
auto string = cStringFromViewWithString(globalObject, scope, viewWithString);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ RETURN_IF_EXCEPTION(scope, { });
fputs("--> ", stderr);
fwrite(string.data(), sizeof(char), string.length(), stderr);
fputc('\n', stderr);
Modified: trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp (263904 => 263905)
--- trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp 2020-07-03 20:06:51 UTC (rev 263905)
@@ -117,12 +117,16 @@
StringBuilder builder(StringBuilder::OverflowHandler::RecordOverflow);
builder.append(prefix, functionName.string(), '(');
- auto viewWithString = args.at(0).toString(globalObject)->viewWithUnderlyingString(globalObject);
+ auto* jsString = args.at(0).toString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
+ auto viewWithString = jsString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, nullptr);
builder.append(viewWithString.view);
for (size_t i = 1; !builder.hasOverflowed() && i < args.size() - 1; i++) {
- auto viewWithString = args.at(i).toString(globalObject)->viewWithUnderlyingString(globalObject);
+ auto* jsString = args.at(i).toString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
+ auto viewWithString = jsString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, nullptr);
builder.append(", ", viewWithString.view);
}
if (UNLIKELY(builder.hasOverflowed())) {
@@ -132,8 +136,10 @@
functionConstructorParametersEndPosition = builder.length() + 1;
- auto body = args.at(args.size() - 1).toString(globalObject)->viewWithUnderlyingString(globalObject);
+ auto* bodyString = args.at(args.size() - 1).toString(globalObject);
RETURN_IF_EXCEPTION(scope, nullptr);
+ auto body = bodyString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, nullptr);
builder.append(") {\n", body.view, "\n}");
if (UNLIKELY(builder.hasOverflowed())) {
throwOutOfMemoryError(globalObject, scope);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (263904 => 263905)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2020-07-03 20:06:51 UTC (rev 263905)
@@ -527,7 +527,13 @@
EncodedJSValue JSC_HOST_CALL globalFuncParseFloat(JSGlobalObject* globalObject, CallFrame* callFrame)
{
- auto viewWithString = callFrame->argument(0).toString(globalObject)->viewWithUnderlyingString(globalObject);
+ VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
+ auto* jsString = callFrame->argument(0).toString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ auto viewWithString = jsString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
return JSValue::encode(jsNumber(parseFloat(viewWithString.view)));
}
Modified: trunk/Source/_javascript_Core/runtime/JSONObject.cpp (263904 => 263905)
--- trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2020-07-03 20:06:51 UTC (rev 263905)
@@ -787,8 +787,10 @@
{
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- auto viewWithString = callFrame->argument(0).toString(globalObject)->viewWithUnderlyingString(globalObject);
+ auto* string = callFrame->argument(0).toString(globalObject);
RETURN_IF_EXCEPTION(scope, { });
+ auto viewWithString = string->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
StringView view = viewWithString.view;
JSValue unfiltered;
Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (263904 => 263905)
--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2020-07-03 19:59:54 UTC (rev 263904)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2020-07-03 20:06:51 UTC (rev 263905)
@@ -979,10 +979,11 @@
JSValue thisValue = callFrame->thisValue();
if (!checkObjectCoercible(thisValue))
return throwVMTypeError(globalObject, scope);
- auto viewWithString = thisValue.toString(globalObject)->viewWithUnderlyingString(globalObject);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ auto* thisString = thisValue.toString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ auto viewWithString = thisString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
StringView view = viewWithString.view;
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
JSValue a0 = callFrame->argument(0);
if (a0.isUInt32()) {
uint32_t i = a0.asUInt32();
@@ -991,7 +992,7 @@
return JSValue::encode(jsEmptyString(vm));
}
double dpos = a0.toInteger(globalObject);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ RETURN_IF_EXCEPTION(scope, { });
if (dpos >= 0 && dpos < view.length())
return JSValue::encode(jsSingleCharacterString(vm, view[static_cast<unsigned>(dpos)]));
return JSValue::encode(jsEmptyString(vm));
@@ -1005,8 +1006,10 @@
JSValue thisValue = callFrame->thisValue();
if (!checkObjectCoercible(thisValue))
return throwVMTypeError(globalObject, scope);
- auto viewWithString = thisValue.toString(globalObject)->viewWithUnderlyingString(globalObject);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ auto* thisString = thisValue.toString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
+ auto viewWithString = thisString->viewWithUnderlyingString(globalObject);
+ RETURN_IF_EXCEPTION(scope, { });
StringView view = viewWithString.view;
JSValue a0 = callFrame->argument(0);
if (a0.isUInt32()) {
@@ -1016,7 +1019,7 @@
return JSValue::encode(jsNaN());
}
double dpos = a0.toInteger(globalObject);
- RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ RETURN_IF_EXCEPTION(scope, { });
if (dpos >= 0 && dpos < view.length())
return JSValue::encode(jsNumber(view[static_cast<int>(dpos)]));
return JSValue::encode(jsNaN());
