Title: [271574] trunk
- Revision
- 271574
- Author
- [email protected]
- Date
- 2021-01-18 00:40:04 -0800 (Mon, 18 Jan 2021)
Log Message
[JSC] callerIsOMGCompiled should be robust
https://bugs.webkit.org/show_bug.cgi?id=220697
Reviewed by Mark Lam.
JSTests:
* stress/callerIsOMGCompiled-should-be-robust.js: Added.
Source/_javascript_Core:
This function did not work if this function is called from microtask / unhandled rejection since there is no caller frame.
This patch makes this function more robust against such usage.
* jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (271573 => 271574)
--- trunk/JSTests/ChangeLog 2021-01-18 07:56:44 UTC (rev 271573)
+++ trunk/JSTests/ChangeLog 2021-01-18 08:40:04 UTC (rev 271574)
@@ -1,3 +1,12 @@
+2021-01-18 Yusuke Suzuki <[email protected]>
+
+ [JSC] callerIsOMGCompiled should be robust
+ https://bugs.webkit.org/show_bug.cgi?id=220697
+
+ Reviewed by Mark Lam.
+
+ * stress/callerIsOMGCompiled-should-be-robust.js: Added.
+
2021-01-17 Yusuke Suzuki <[email protected]>
[JSC] DFG/FTL Atomics should not accept Float32/Float64 typed arrays
Added: trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js (0 => 271574)
--- trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js (rev 0)
+++ trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js 2021-01-18 08:40:04 UTC (rev 271574)
@@ -0,0 +1,2 @@
+setUnhandledRejectionCallback(callerIsOMGCompiled);
+Promise.reject();
Modified: trunk/Source/_javascript_Core/ChangeLog (271573 => 271574)
--- trunk/Source/_javascript_Core/ChangeLog 2021-01-18 07:56:44 UTC (rev 271573)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-01-18 08:40:04 UTC (rev 271574)
@@ -1,3 +1,16 @@
+2021-01-18 Yusuke Suzuki <[email protected]>
+
+ [JSC] callerIsOMGCompiled should be robust
+ https://bugs.webkit.org/show_bug.cgi?id=220697
+
+ Reviewed by Mark Lam.
+
+ This function did not work if this function is called from microtask / unhandled rejection since there is no caller frame.
+ This patch makes this function more robust against such usage.
+
+ * jsc.cpp:
+ (JSC_DEFINE_HOST_FUNCTION):
+
2021-01-17 Yusuke Suzuki <[email protected]>
[JSC] DFG/FTL Atomics should not accept Float32/Float64 typed arrays
Modified: trunk/Source/_javascript_Core/jsc.cpp (271573 => 271574)
--- trunk/Source/_javascript_Core/jsc.cpp 2021-01-18 07:56:44 UTC (rev 271573)
+++ trunk/Source/_javascript_Core/jsc.cpp 2021-01-18 08:40:04 UTC (rev 271574)
@@ -1774,7 +1774,7 @@
CallerFunctor wasmToJSFrame;
StackVisitor::visit(callFrame, vm, wasmToJSFrame);
- if (!wasmToJSFrame.callerFrame()->isAnyWasmCallee())
+ if (!wasmToJSFrame.callerFrame() || !wasmToJSFrame.callerFrame()->isAnyWasmCallee())
return throwVMError(globalObject, scope, "caller is not a wasm->js import function");
// We have a wrapper frame that we generate for imports. If we ever can direct call from wasm we would need to change this.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
