- Revision
- 272466
- Author
- [email protected]
- Date
- 2021-02-06 19:13:53 -0800 (Sat, 06 Feb 2021)
Log Message
REGRESSION (r264574): Unchecked JS exception in validateAndApplyPropertyDescriptor()
https://bugs.webkit.org/show_bug.cgi?id=221494
Reviewed by Yusuke Suzuki.
JSTests:
* stress/redefine-property-same-value-exception-check.js: Added.
Source/_javascript_Core:
This patch brings back exception check after sameValue(), which was accidentally
removed in r264574. sameValue() may throw OOM when comparing rope strings.
Even though this case was unreachable because of PropertyDescriptor::equalTo()
fast path, we should maintain consistent exception checks.
For the same reason, sameValue() in protoFuncFinalizationRegistryRegister() is
replaced with pointer comparison, which is safe & unobservable because `target`
is a known JSObject.
* runtime/FinalizationRegistryPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSObject.cpp:
(JSC::validateAndApplyPropertyDescriptor):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (272465 => 272466)
--- trunk/JSTests/ChangeLog 2021-02-07 02:02:17 UTC (rev 272465)
+++ trunk/JSTests/ChangeLog 2021-02-07 03:13:53 UTC (rev 272466)
@@ -1,3 +1,12 @@
+2021-02-06 Alexey Shvayka <[email protected]>
+
+ REGRESSION (r264574): Unchecked JS exception in validateAndApplyPropertyDescriptor()
+ https://bugs.webkit.org/show_bug.cgi?id=221494
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/redefine-property-same-value-exception-check.js: Added.
+
2021-02-05 Yusuke Suzuki <[email protected]>
Unreviewd, update test262/config.yaml
Added: trunk/JSTests/stress/redefine-property-same-value-exception-check.js (0 => 272466)
--- trunk/JSTests/stress/redefine-property-same-value-exception-check.js (rev 0)
+++ trunk/JSTests/stress/redefine-property-same-value-exception-check.js 2021-02-07 03:13:53 UTC (rev 272466)
@@ -0,0 +1,21 @@
+function shouldThrow(func, errorMessage) {
+ let errorThrown = false;
+ try {
+ func();
+ } catch (error) {
+ errorThrown = true;
+ if (String(error) !== errorMessage)
+ throw new Error(`Bad error: ${error}`);
+ }
+ if (!errorThrown)
+ throw new Error('Not thrown!');
+}
+
+const obj = {};
+const s = [0.1].toLocaleString().padEnd(2 ** 31 - 1, "ab");
+
+Object.defineProperty(obj, "foo", {value: s, writable: false, enumerable: true, configurable: false});
+
+shouldThrow(() => {
+ Object.defineProperty(obj, "foo", {value: "bar"});
+}, "RangeError: Out of memory");
Modified: trunk/Source/_javascript_Core/ChangeLog (272465 => 272466)
--- trunk/Source/_javascript_Core/ChangeLog 2021-02-07 02:02:17 UTC (rev 272465)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-02-07 03:13:53 UTC (rev 272466)
@@ -1,3 +1,25 @@
+2021-02-06 Alexey Shvayka <[email protected]>
+
+ REGRESSION (r264574): Unchecked JS exception in validateAndApplyPropertyDescriptor()
+ https://bugs.webkit.org/show_bug.cgi?id=221494
+
+ Reviewed by Yusuke Suzuki.
+
+ This patch brings back exception check after sameValue(), which was accidentally
+ removed in r264574. sameValue() may throw OOM when comparing rope strings.
+
+ Even though this case was unreachable because of PropertyDescriptor::equalTo()
+ fast path, we should maintain consistent exception checks.
+
+ For the same reason, sameValue() in protoFuncFinalizationRegistryRegister() is
+ replaced with pointer comparison, which is safe & unobservable because `target`
+ is a known JSObject.
+
+ * runtime/FinalizationRegistryPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+ * runtime/JSObject.cpp:
+ (JSC::validateAndApplyPropertyDescriptor):
+
2021-02-05 Patrick Angle <[email protected]>
Web Inspector: Implement backend support for maintaining a list of Grid layout contexts
Modified: trunk/Source/_javascript_Core/runtime/FinalizationRegistryPrototype.cpp (272465 => 272466)
--- trunk/Source/_javascript_Core/runtime/FinalizationRegistryPrototype.cpp 2021-02-07 02:02:17 UTC (rev 272465)
+++ trunk/Source/_javascript_Core/runtime/FinalizationRegistryPrototype.cpp 2021-02-07 03:13:53 UTC (rev 272466)
@@ -78,7 +78,7 @@
return throwVMTypeError(globalObject, scope, "register requires an object as the target"_s);
JSValue holdings = callFrame->argument(1);
- if (sameValue(globalObject, target, holdings))
+ if (target == holdings)
return throwVMTypeError(globalObject, scope, "register expects the target object and the holdings parameter are not the same. Otherwise, the target can never be collected"_s);
JSValue unregisterToken = callFrame->argument(2);
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (272465 => 272466)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2021-02-07 02:02:17 UTC (rev 272465)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2021-02-07 03:13:53 UTC (rev 272466)
@@ -3651,8 +3651,12 @@
if (!current.configurable() && !current.writable()) {
if (descriptor.writable())
return typeError(globalObject, scope, throwException, UnconfigurablePropertyChangeWritabilityError);
- if (descriptor.value() && !sameValue(globalObject, current.value(), descriptor.value()))
- return typeError(globalObject, scope, throwException, ReadonlyPropertyChangeError);
+ if (descriptor.value()) {
+ bool isSame = sameValue(globalObject, descriptor.value(), current.value());
+ RETURN_IF_EXCEPTION(scope, false);
+ if (!isSame)
+ return typeError(globalObject, scope, throwException, ReadonlyPropertyChangeError);
+ }
return true;
}
