Title: [280097] trunk
- Revision
- 280097
- Author
- [email protected]
- Date
- 2021-07-20 12:35:56 -0700 (Tue, 20 Jul 2021)
Log Message
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
https://bugs.webkit.org/show_bug.cgi?id=228075
rdar://80762879
Reviewed by Frédéric Wang.
JSTests:
* stress/symbol-hasinstance-error.js: Added.
(shouldThrow):
(let.a):
Source/_javascript_Core:
invalidParameterInstanceofSourceAppender can be invoked without `instanceof` _expression_ since we can call
`[Symbol.hasInstance]` function directly, but the implementation did not assume that. This patch fixes
it to handle this direct call.
* runtime/ExceptionHelpers.cpp:
(JSC::invalidParameterInstanceofSourceAppender):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (280096 => 280097)
--- trunk/JSTests/ChangeLog 2021-07-20 19:34:41 UTC (rev 280096)
+++ trunk/JSTests/ChangeLog 2021-07-20 19:35:56 UTC (rev 280097)
@@ -1,3 +1,15 @@
+2021-07-20 Yusuke Suzuki <[email protected]>
+
+ [JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
+ https://bugs.webkit.org/show_bug.cgi?id=228075
+ rdar://80762879
+
+ Reviewed by Frédéric Wang.
+
+ * stress/symbol-hasinstance-error.js: Added.
+ (shouldThrow):
+ (let.a):
+
2021-07-19 Mark Lam <[email protected]>
DFG's parseIntResult() should check for negative zero.
Added: trunk/JSTests/stress/symbol-hasinstance-error.js (0 => 280097)
--- trunk/JSTests/stress/symbol-hasinstance-error.js (rev 0)
+++ trunk/JSTests/stress/symbol-hasinstance-error.js 2021-07-20 19:35:56 UTC (rev 280097)
@@ -0,0 +1,21 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+let a = function() {};
+Object.defineProperty(a, Symbol.hasInstance, { value: Atomics });
+let b = a.bind();
+shouldThrow(() => {
+ Function.prototype[Symbol.hasInstance].call(b)
+}, `TypeError: function [Symbol.hasInstance] is not a function, undefined, or null`);
Modified: trunk/Source/_javascript_Core/ChangeLog (280096 => 280097)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-20 19:34:41 UTC (rev 280096)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-20 19:35:56 UTC (rev 280097)
@@ -1,3 +1,18 @@
+2021-07-20 Yusuke Suzuki <[email protected]>
+
+ [JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
+ https://bugs.webkit.org/show_bug.cgi?id=228075
+ rdar://80762879
+
+ Reviewed by Frédéric Wang.
+
+ invalidParameterInstanceofSourceAppender can be invoked without `instanceof` _expression_ since we can call
+ `[Symbol.hasInstance]` function directly, but the implementation did not assume that. This patch fixes
+ it to handle this direct call.
+
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::invalidParameterInstanceofSourceAppender):
+
2021-07-19 Yusuke Suzuki <[email protected]>
[JSC] StructureStubInfo's m_identifier should follow to the same protocol of inlineAccessBaseStructure
Modified: trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp (280096 => 280097)
--- trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2021-07-20 19:34:41 UTC (rev 280096)
+++ trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2021-07-20 19:35:56 UTC (rev 280097)
@@ -219,7 +219,10 @@
ASSERT(occurrence == ErrorInstance::FoundExactSource);
auto instanceofIndex = sourceText.reverseFind("instanceof");
- RELEASE_ASSERT(instanceofIndex != notFound);
+ // This can happen when Symbol.hasInstance function is directly called.
+ if (instanceofIndex == notFound)
+ return originalMessage;
+
if (sourceText.find("instanceof") != instanceofIndex)
return makeString(originalMessage, " (evaluating '", sourceText, "')");
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
