[webkit-changes] [273222] trunk/Source/JavaScriptCore

[ysuzuki]

Title: [273222] trunk/Source/_javascript_Core

Revision

273222

Author

ysuz...@apple.com

Date

2021-02-21 13:08:03 -0800 (Sun, 21 Feb 2021)

Log Message

[JSC] JSInternalPromise::then can fail if execution is terminated
https://bugs.webkit.org/show_bug.cgi?id=222244

Reviewed by Mark Lam.

JSInternalPromise::then assumed that call's result is always JSInternalPromise.
But this is wrong if termination exception is thrown. In that case, this call fails.
This patch makes it robust against this behavior.

* runtime/JSInternalPromise.cpp:
(JSC::JSInternalPromise::then):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSInternalPromise.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (273221 => 273222)

--- trunk/Source/_javascript_Core/ChangeLog	2021-02-21 20:49:56 UTC (rev 273221)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-02-21 21:08:03 UTC (rev 273222)
@@ -1,5 +1,19 @@
 2021-02-21  Yusuke Suzuki  <ysuz...@apple.com>
 
+        [JSC] JSInternalPromise::then can fail if execution is terminated
+        https://bugs.webkit.org/show_bug.cgi?id=222244
+
+        Reviewed by Mark Lam.
+
+        JSInternalPromise::then assumed that call's result is always JSInternalPromise.
+        But this is wrong if termination exception is thrown. In that case, this call fails.
+        This patch makes it robust against this behavior.
+
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+
+2021-02-21  Yusuke Suzuki  <ysuz...@apple.com>
+
         [JSC] Remove vm.topCallFrame storing in Baseline JIT
         https://bugs.webkit.org/show_bug.cgi?id=222162
 

Modified: trunk/Source/_javascript_Core/runtime/JSInternalPromise.cpp (273221 => 273222)

--- trunk/Source/_javascript_Core/runtime/JSInternalPromise.cpp	2021-02-21 20:49:56 UTC (rev 273221)
+++ trunk/Source/_javascript_Core/runtime/JSInternalPromise.cpp	2021-02-21 21:08:03 UTC (rev 273222)
@@ -69,8 +69,9 @@
     arguments.append(onFulfilled ? onFulfilled : jsUndefined());
     arguments.append(onRejected ? onRejected : jsUndefined());
     ASSERT(!arguments.hasOverflowed());
-
-    RELEASE_AND_RETURN(scope, jsCast<JSInternalPromise*>(call(globalObject, function, callData, this, arguments)));
+    JSValue result = call(globalObject, function, callData, this, arguments);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    return jsCast<JSInternalPromise*>(result);
 }
 
 JSInternalPromise* JSInternalPromise::rejectWithCaughtException(JSGlobalObject* globalObject, ThrowScope& scope)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes