Skip to site navigation (Press enter)

[webkit-changes] [279910] trunk

mark . lam Wed, 14 Jul 2021 10:26:39 -0700

Title: [279910] trunk

Revision: 279910
Author: [email protected]
Date: 2021-07-14 10:25:44 -0700 (Wed, 14 Jul 2021)

Log Message

Placate exception checker validation in operationObjectAssignUntyped.
https://bugs.webkit.org/show_bug.cgi?id=227955
rdar://80503746


Reviewed by Michael Saboff.

JSTests:

* stress/exception-check-in-operationObjectAssignUntyped.js: Added.

Source/_javascript_Core:

* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp

Added Paths

trunk/JSTests/stress/exception-check-in-operationObjectAssignUntyped.js

Diff

Modified: trunk/JSTests/ChangeLog (279909 => 279910)


--- trunk/JSTests/ChangeLog	2021-07-14 15:00:39 UTC (rev 279909)
+++ trunk/JSTests/ChangeLog	2021-07-14 17:25:44 UTC (rev 279910)
@@ -1,3 +1,13 @@
+2021-07-14  Mark Lam  <[email protected]>
+
+        Placate exception checker validation in operationObjectAssignUntyped.
+        https://bugs.webkit.org/show_bug.cgi?id=227955
+        rdar://80503746
+
+        Reviewed by Michael Saboff.
+
+        * stress/exception-check-in-operationObjectAssignUntyped.js: Added.
+
 2021-07-14  Keith Miller  <[email protected]>
 
         Fix more tests around fuzzing executable allocations

Added: trunk/JSTests/stress/exception-check-in-operationObjectAssignUntyped.js (0 => 279910)


--- trunk/JSTests/stress/exception-check-in-operationObjectAssignUntyped.js	                        (rev 0)
+++ trunk/JSTests/stress/exception-check-in-operationObjectAssignUntyped.js	2021-07-14 17:25:44 UTC (rev 279910)
@@ -0,0 +1,5 @@
+//@ requireOptions("--useRandomizingFuzzerAgent=true")
+
+for (let i = 0; i < 10000; ++i) {
+  Object.assign({}, [[]][0]);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (279909 => 279910)


--- trunk/Source/_javascript_Core/ChangeLog	2021-07-14 15:00:39 UTC (rev 279909)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-07-14 17:25:44 UTC (rev 279910)
@@ -1,3 +1,14 @@
+2021-07-14  Mark Lam  <[email protected]>
+
+        Placate exception checker validation in operationObjectAssignUntyped.
+        https://bugs.webkit.org/show_bug.cgi?id=227955
+        rdar://80503746
+
+        Reviewed by Michael Saboff.
+
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+
 2021-07-13  Robin Morisset  <[email protected]>
 
         Invalid machine code emitted by SpeculativeJIT::emitObjectOrOtherBranch

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (279909 => 279910)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2021-07-14 15:00:39 UTC (rev 279909)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2021-07-14 17:25:44 UTC (rev 279910)
@@ -394,6 +394,7 @@
         }
     }
 
+    scope.release();
     objectAssignGeneric(globalObject, vm, target, source);
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes