Modified: trunk/LayoutTests/ChangeLog (275881 => 275882)
--- trunk/LayoutTests/ChangeLog 2021-04-13 13:21:21 UTC (rev 275881)
+++ trunk/LayoutTests/ChangeLog 2021-04-13 14:08:32 UTC (rev 275882)
@@ -1,3 +1,15 @@
+2021-04-13 Frédéric Wang <fw...@igalia.com>
+
+ ASSERTION FAILED: !m_needExceptionCheck in CloneSerializer::serialize with postMessage({g:42})
+ https://bugs.webkit.org/show_bug.cgi?id=223785
+
+ Reviewed by Yusuke Suzuki.
+
+ Add regression test.
+
+ * js/dom/missing-exception-check-in-clone-serializer-serialize-expected.txt: Added.
+ * js/dom/missing-exception-check-in-clone-serializer-serialize.html: Added.
+
2021-04-13 Commit Queue <commit-qu...@webkit.org>
Unreviewed, reverting r275849.
Added: trunk/LayoutTests/js/dom/missing-exception-check-in-clone-serializer-serialize-expected.txt (0 => 275882)
--- trunk/LayoutTests/js/dom/missing-exception-check-in-clone-serializer-serialize-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dom/missing-exception-check-in-clone-serializer-serialize-expected.txt 2021-04-13 14:08:32 UTC (rev 275882)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/dom/missing-exception-check-in-clone-serializer-serialize.html (0 => 275882)
--- trunk/LayoutTests/js/dom/missing-exception-check-in-clone-serializer-serialize.html (rev 0)
+++ trunk/LayoutTests/js/dom/missing-exception-check-in-clone-serializer-serialize.html 2021-04-13 14:08:32 UTC (rev 275882)
@@ -0,0 +1,12 @@
+<!DOCTYPE html><!-- webkit-test-runner [ jscOptions=--validateExceptionChecks=true ] -->
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+ postMessage({g:42});
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (275881 => 275882)
--- trunk/Source/WebCore/ChangeLog 2021-04-13 13:21:21 UTC (rev 275881)
+++ trunk/Source/WebCore/ChangeLog 2021-04-13 14:08:32 UTC (rev 275882)
@@ -1,3 +1,17 @@
+2021-04-13 Frédéric Wang <fw...@igalia.com>
+
+ ASSERTION FAILED: !m_needExceptionCheck in CloneSerializer::serialize with postMessage({g:42})
+ https://bugs.webkit.org/show_bug.cgi?id=223785
+
+ Reviewed by Yusuke Suzuki.
+
+ Test: js/dom/missing-exception-check-in-clone-serializer-serialize.html
+
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneSerializer::serialize): Use a local throw scope within this method and
+ handle potential exceptions.
+ (WebCore::CloneBase::shouldTerminate): Deleted.
+
2021-04-13 Philippe Normand <pnorm...@igalia.com>
[GTK][WPE] Avif decoder build broken
Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (275881 => 275882)
--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2021-04-13 13:21:21 UTC (rev 275881)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2021-04-13 14:08:32 UTC (rev 275882)
@@ -504,13 +504,6 @@
{
}
- bool shouldTerminate()
- {
- VM& vm = m_lexicalGlobalObject->vm();
- auto scope = DECLARE_THROW_SCOPE(vm);
- return scope.exception();
- }
-
void fail()
{
m_failed = true;
@@ -1767,6 +1760,7 @@
Vector<WalkerState, 16> stateStack;
WalkerState lexicalGlobalObject = StateUnknown;
JSValue inValue = in;
+ auto scope = DECLARE_THROW_SCOPE(vm);
while (1) {
switch (lexicalGlobalObject) {
arrayStartState:
@@ -1794,6 +1788,8 @@
propertyStack.append(PropertyNameArray(vm, PropertyNameMode::Strings, PrivateSymbolMode::Exclude));
array->getOwnNonIndexPropertyNames(m_lexicalGlobalObject, propertyStack.last(), DontEnumPropertiesMode::Exclude);
+ if (UNLIKELY(scope.exception()))
+ return SerializationReturnCode::ExistingExceptionError;
if (propertyStack.last().size()) {
write(NonIndexPropertiesTag);
indexStack.append(0);
@@ -1806,6 +1802,8 @@
break;
}
inValue = array->getDirectIndex(m_lexicalGlobalObject, index);
+ if (UNLIKELY(scope.exception()))
+ return SerializationReturnCode::ExistingExceptionError;
if (!inValue) {
indexStack.last()++;
goto arrayStartVisitMember;
@@ -1844,6 +1842,8 @@
indexStack.append(0);
propertyStack.append(PropertyNameArray(vm, PropertyNameMode::Strings, PrivateSymbolMode::Exclude));
inObject->methodTable(vm)->getOwnPropertyNames(inObject, m_lexicalGlobalObject, propertyStack.last(), DontEnumPropertiesMode::Exclude);
+ if (UNLIKELY(scope.exception()))
+ return SerializationReturnCode::ExistingExceptionError;
}
objectStartVisitMember:
FALLTHROUGH;
@@ -1859,7 +1859,7 @@
break;
}
inValue = getProperty(vm, object, properties[index]);
- if (shouldTerminate())
+ if (UNLIKELY(scope.exception()))
return SerializationReturnCode::ExistingExceptionError;
if (!inValue) {
@@ -1869,7 +1869,7 @@
}
write(properties[index]);
- if (shouldTerminate())
+ if (UNLIKELY(scope.exception()))
return SerializationReturnCode::ExistingExceptionError;
auto terminalCode = SerializationReturnCode::SuccessfullyCompleted;
@@ -1882,7 +1882,7 @@
FALLTHROUGH;
}
case ObjectEndVisitMember: {
- if (shouldTerminate())
+ if (UNLIKELY(scope.exception()))
return SerializationReturnCode::ExistingExceptionError;
indexStack.last()++;
@@ -1912,6 +1912,8 @@
ASSERT(jsDynamicCast<JSMap*>(vm, object));
propertyStack.append(PropertyNameArray(vm, PropertyNameMode::Strings, PrivateSymbolMode::Exclude));
object->methodTable(vm)->getOwnPropertyNames(object, m_lexicalGlobalObject, propertyStack.last(), DontEnumPropertiesMode::Exclude);
+ if (UNLIKELY(scope.exception()))
+ return SerializationReturnCode::ExistingExceptionError;
write(NonMapPropertiesTag);
indexStack.append(0);
goto objectStartVisitMember;
@@ -1956,6 +1958,8 @@
ASSERT(jsDynamicCast<JSSet*>(vm, object));
propertyStack.append(PropertyNameArray(vm, PropertyNameMode::Strings, PrivateSymbolMode::Exclude));
object->methodTable(vm)->getOwnPropertyNames(object, m_lexicalGlobalObject, propertyStack.last(), DontEnumPropertiesMode::Exclude);
+ if (UNLIKELY(scope.exception()))
+ return SerializationReturnCode::ExistingExceptionError;
write(NonSetPropertiesTag);
indexStack.append(0);
goto objectStartVisitMember;
