Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (154901 => 154902)
--- trunk/Source/_javascript_Core/ChangeLog 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-08-30 18:30:41 UTC (rev 154902)
@@ -1,3 +1,27 @@
+2013-08-30 Oliver Hunt <[email protected]>
+
+ Make JSValue bool conversion less dangerous
+ https://bugs.webkit.org/show_bug.cgi?id=120505
+
+ Reviewed by Darin Adler.
+
+ Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
+ we do elsewhere. Then fix the places where terrible type coercion was
+ happening. All of the changes made had no fundamental behavioural impact
+ as they were coercion results that were ignored (returning undefined
+ after an exception).
+
+ * dfg/DFGOperations.cpp:
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::hadException):
+ * runtime/JSCJSValue.h:
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::operator UnspecifiedBoolType*):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncEval):
+ * runtime/PropertyDescriptor.cpp:
+ (JSC::PropertyDescriptor::equalTo)
+
2013-08-30 Chris Curtis <[email protected]>
Cleaning errorDescriptionForValue after r154839
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (154901 => 154902)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2013-08-30 18:30:41 UTC (rev 154902)
@@ -677,7 +677,7 @@
if (!base->isObject()) {
vm->throwException(exec, createInvalidParameterError(exec, "in", base));
- return jsUndefined();
+ return JSValue::encode(jsUndefined());
}
StructureStubInfo& stubInfo = exec->codeBlock()->getStubInfo(returnAddress);
@@ -704,7 +704,7 @@
if (!base->isObject()) {
vm->throwException(exec, createInvalidParameterError(exec, "in", base));
- return jsUndefined();
+ return JSValue::encode(jsUndefined());
}
Identifier ident(vm, key);
Modified: trunk/Source/_javascript_Core/interpreter/CallFrame.h (154901 => 154902)
--- trunk/Source/_javascript_Core/interpreter/CallFrame.h 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/interpreter/CallFrame.h 2013-08-30 18:30:41 UTC (rev 154902)
@@ -75,7 +75,7 @@
}
JSValue exception() const { return vm().exception(); }
- bool hadException() const { return vm().exception(); }
+ bool hadException() const { return !vm().exception().isEmpty(); }
const CommonIdentifiers& propertyNames() const { return *vm().propertyNames; }
const MarkedArgumentBuffer& emptyList() const { return *vm().emptyList; }
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.h (154901 => 154902)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.h 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.h 2013-08-30 18:30:41 UTC (rev 154902)
@@ -173,7 +173,8 @@
explicit JSValue(long long);
explicit JSValue(unsigned long long);
- operator bool() const;
+ typedef void* (JSValue::*UnspecifiedBoolType);
+ operator UnspecifiedBoolType*() const;
bool operator==(const JSValue& other) const;
bool operator!=(const JSValue& other) const;
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h (154901 => 154902)
--- trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2013-08-30 18:30:41 UTC (rev 154902)
@@ -210,10 +210,10 @@
u.asBits.payload = reinterpret_cast<int32_t>(const_cast<JSCell*>(ptr));
}
-inline JSValue::operator bool() const
+inline JSValue::operator UnspecifiedBoolType*() const
{
ASSERT(tag() != DeletedValueTag);
- return tag() != EmptyValueTag;
+ return tag() != EmptyValueTag ? reinterpret_cast<UnspecifiedBoolType*>(1) : 0;
}
inline bool JSValue::operator==(const JSValue& other) const
@@ -358,9 +358,9 @@
u.asInt64 = reinterpret_cast<uintptr_t>(const_cast<JSCell*>(ptr));
}
-inline JSValue::operator bool() const
+inline JSValue::operator UnspecifiedBoolType*() const
{
- return u.asInt64;
+ return u.asInt64 ? reinterpret_cast<UnspecifiedBoolType*>(1) : 0;
}
inline bool JSValue::operator==(const JSValue& other) const
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (154901 => 154902)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2013-08-30 18:30:41 UTC (rev 154902)
@@ -519,7 +519,7 @@
JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false);
if (!eval)
- return jsUndefined();
+ return JSValue::encode(jsUndefined());
return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject));
}
Modified: trunk/Source/_javascript_Core/runtime/PropertyDescriptor.cpp (154901 => 154902)
--- trunk/Source/_javascript_Core/runtime/PropertyDescriptor.cpp 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/_javascript_Core/runtime/PropertyDescriptor.cpp 2013-08-30 18:30:41 UTC (rev 154902)
@@ -183,9 +183,9 @@
bool PropertyDescriptor::equalTo(ExecState* exec, const PropertyDescriptor& other) const
{
- if (!other.m_value == m_value ||
- !other.m_getter == m_getter ||
- !other.m_setter == m_setter)
+ if (other.m_value.isEmpty() != m_value.isEmpty()
+ || other.m_getter.isEmpty() != m_getter.isEmpty()
+ || other.m_setter.isEmpty() != m_setter.isEmpty())
return false;
return (!m_value || sameValue(exec, other.m_value, m_value))
&& (!m_getter || JSValue::strictEqual(exec, other.m_getter, m_getter))
Modified: trunk/Source/WTF/ChangeLog (154901 => 154902)
--- trunk/Source/WTF/ChangeLog 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/WTF/ChangeLog 2013-08-30 18:30:41 UTC (rev 154902)
@@ -1,3 +1,15 @@
+2013-08-30 Oliver Hunt <[email protected]>
+
+ Make JSValue bool conversion less dangerous
+ https://bugs.webkit.org/show_bug.cgi?id=120505
+
+ Reviewed by Darin Adler.
+
+ Make LIKELY and UNLIKELY macros coerce to bool before
+ passing to expect.
+
+ * wtf/Compiler.h:
+
2013-08-30 Antti Koivisto <[email protected]>
Remove code behind ENABLE(DIALOG_ELEMENT)
Modified: trunk/Source/WTF/wtf/Compiler.h (154901 => 154902)
--- trunk/Source/WTF/wtf/Compiler.h 2013-08-30 18:16:11 UTC (rev 154901)
+++ trunk/Source/WTF/wtf/Compiler.h 2013-08-30 18:30:41 UTC (rev 154902)
@@ -223,7 +223,7 @@
#ifndef UNLIKELY
#if COMPILER(GCC) || (COMPILER(RVCT) && defined(__GNUC__))
-#define UNLIKELY(x) __builtin_expect((x), 0)
+#define UNLIKELY(x) __builtin_expect(!!(x), 0)
#else
#define UNLIKELY(x) (x)
#endif
@@ -234,7 +234,7 @@
#ifndef LIKELY
#if COMPILER(GCC) || (COMPILER(RVCT) && defined(__GNUC__))
-#define LIKELY(x) __builtin_expect((x), 1)
+#define LIKELY(x) __builtin_expect(!!(x), 1)
#else
#define LIKELY(x) (x)
#endif
