[webkit-changes] [265493] trunk/Source/JavaScriptCore

Tue, 11 Aug 2020 01:24:09 -0700

Title: [265493] trunk/Source/_javascript_Core
Revision
265493
Author
[email protected]
Date
2020-08-11 01:23:16 -0700 (Tue, 11 Aug 2020)

Log Message

ScriptExecutable::newCodeBlockFor() neglected to set the exception pointer result in one case.
https://bugs.webkit.org/show_bug.cgi?id=215357
<rdar://problem/57675112>

Reviewed by Yusuke Suzuki.

At the bottom of ScriptExecutable::newCodeBlockFor(), it calls:
    RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope));

However, ScriptExecutable::newCodeBlockFor() has 2 return values: a CodeBlock*,
and a passed in Exception*& that needs to be set if there's an exception.
FunctionCodeBlock::create() is capable of returning a null CodeBlock* because
CodeBlock::finishCreation() can throw exceptions.  As a result, we have a scenario
here where ScriptExecutable::newCodeBlockFor() can return a null CodeBlock* without
setting the Exception*& result.

Consequently, Interpreter::executeCall() is relying on this and can end up
crashing while dereferencing a null CodeBlock* because the exception result was
not set.

This patch fixes ScriptExecutable::newCodeBlockFor() to set the exception result.

* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::newCodeBlockFor):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (265492 => 265493)


--- trunk/Source/_javascript_Core/ChangeLog	2020-08-11 08:17:37 UTC (rev 265492)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-08-11 08:23:16 UTC (rev 265493)
@@ -1,3 +1,30 @@
+2020-08-11  Mark Lam  <[email protected]>
+
+        ScriptExecutable::newCodeBlockFor() neglected to set the exception pointer result in one case.
+        https://bugs.webkit.org/show_bug.cgi?id=215357
+        <rdar://problem/57675112>
+
+        Reviewed by Yusuke Suzuki.
+
+        At the bottom of ScriptExecutable::newCodeBlockFor(), it calls:
+            RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope));
+
+        However, ScriptExecutable::newCodeBlockFor() has 2 return values: a CodeBlock*,
+        and a passed in Exception*& that needs to be set if there's an exception.
+        FunctionCodeBlock::create() is capable of returning a null CodeBlock* because
+        CodeBlock::finishCreation() can throw exceptions.  As a result, we have a scenario
+        here where ScriptExecutable::newCodeBlockFor() can return a null CodeBlock* without
+        setting the Exception*& result.
+
+        Consequently, Interpreter::executeCall() is relying on this and can end up
+        crashing while dereferencing a null CodeBlock* because the exception result was
+        not set.
+
+        This patch fixes ScriptExecutable::newCodeBlockFor() to set the exception result.
+
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::newCodeBlockFor):
+
 2020-08-10  Lauro Moura  <[email protected]>
 
         [CMake][JSC] Fix testapiScripts copy location

Modified: trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp (265492 => 265493)


--- trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp	2020-08-11 08:17:37 UTC (rev 265492)
+++ trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp	2020-08-11 08:23:16 UTC (rev 265493)
@@ -261,7 +261,7 @@
         RELEASE_ASSERT(kind == CodeForCall);
         RELEASE_ASSERT(!executable->m_evalCodeBlock);
         RELEASE_ASSERT(!function);
-        auto codeBlock = EvalCodeBlock::create(vm,
+        auto* codeBlock = EvalCodeBlock::create(vm,
             executable, executable->m_unlinkedEvalCodeBlock.get(), scope);
         EXCEPTION_ASSERT(throwScope.exception() || codeBlock);
         if (!codeBlock) {
@@ -278,7 +278,7 @@
         RELEASE_ASSERT(kind == CodeForCall);
         RELEASE_ASSERT(!executable->m_programCodeBlock);
         RELEASE_ASSERT(!function);
-        auto codeBlock = ProgramCodeBlock::create(vm,
+        auto* codeBlock = ProgramCodeBlock::create(vm,
             executable, executable->m_unlinkedProgramCodeBlock.get(), scope);
         EXCEPTION_ASSERT(throwScope.exception() || codeBlock);
         if (!codeBlock) {
@@ -295,7 +295,7 @@
         RELEASE_ASSERT(kind == CodeForCall);
         RELEASE_ASSERT(!executable->m_moduleProgramCodeBlock);
         RELEASE_ASSERT(!function);
-        auto codeBlock = ModuleProgramCodeBlock::create(vm,
+        auto* codeBlock = ModuleProgramCodeBlock::create(vm,
             executable, executable->m_unlinkedModuleProgramCodeBlock.get(), scope);
         EXCEPTION_ASSERT(throwScope.exception() || codeBlock);
         if (!codeBlock) {
@@ -337,7 +337,10 @@
         return nullptr;
     }
 
-    RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope));
+    auto* codeBlock = FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope);
+    if (throwScope.exception())
+        exception = throwScope.exception();
+    return codeBlock;
 }
 
 CodeBlock* ScriptExecutable::newReplacementCodeBlockFor(

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to