Diff
Modified: trunk/Source/_javascript_Core/CMakeLists.txt (197793 => 197794)
--- trunk/Source/_javascript_Core/CMakeLists.txt 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/CMakeLists.txt 2016-03-08 20:57:25 UTC (rev 197794)
@@ -709,7 +709,6 @@
runtime/JSModuleNamespaceObject.cpp
runtime/JSModuleRecord.cpp
runtime/JSNativeStdFunction.cpp
- runtime/JSNotAnObject.cpp
runtime/JSONObject.cpp
runtime/JSObject.cpp
runtime/JSPromise.cpp
Modified: trunk/Source/_javascript_Core/ChangeLog (197793 => 197794)
--- trunk/Source/_javascript_Core/ChangeLog 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-03-08 20:57:25 UTC (rev 197794)
@@ -1,3 +1,82 @@
+2016-03-08 Mark Lam <[email protected]>
+
+ synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
+ https://bugs.webkit.org/show_bug.cgi?id=155169
+
+ Reviewed by Geoffrey Garen.
+
+ With the exception checks, we may end up throwing new exceptions over an existing
+ one that has been thrown but not handled yet, thereby obscuring it. It may also
+ mean that the VM will continue running on potentially unstable state, which may
+ have undesirable consequences.
+
+ I first observed this in some failed assertion while running tests on a patch for
+ https://bugs.webkit.org/show_bug.cgi?id=154865.
+
+ Performance is neutral with this patch (tested on x86_64).
+
+ 1. Deleted JSNotAnObject, and removed all uses of it.
+
+ 2. Added exception checks, when needed, following calls to synthesizePrototype()
+ and JSValue::toObject().
+
+ The cases that do not need an exception check are the ones that already ensures
+ that JSValue::toObject() is only called on a value that is convertible to an
+ object. In those cases, I added an assertion that no exception was thrown
+ after the call.
+
+ * CMakeLists.txt:
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * inspector/ScriptCallStackFactory.cpp:
+ (Inspector::createScriptCallStackFromException):
+ * interpreter/Interpreter.cpp:
+ * jit/JITOperations.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncJoin):
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncPop):
+ (JSC::arrayProtoFuncPush):
+ (JSC::arrayProtoFuncReverse):
+ (JSC::arrayProtoFuncShift):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ (JSC::arrayProtoFuncUnShift):
+ (JSC::arrayProtoFuncIndexOf):
+ (JSC::arrayProtoFuncLastIndexOf):
+ (JSC::arrayProtoFuncValues):
+ (JSC::arrayProtoFuncEntries):
+ (JSC::arrayProtoFuncKeys):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/ExceptionHelpers.cpp:
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::toObjectSlowCase):
+ (JSC::JSValue::toThisSlowCase):
+ (JSC::JSValue::synthesizePrototype):
+ (JSC::JSValue::putToPrimitive):
+ (JSC::JSValue::putToPrimitiveByIndex):
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::getPropertySlot):
+ (JSC::JSValue::get):
+ * runtime/JSFunction.cpp:
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncProtoGetter):
+ * runtime/JSNotAnObject.cpp: Removed.
+ * runtime/JSNotAnObject.h: Removed.
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorDefineProperties):
+ (JSC::objectConstructorCreate):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::objectProtoFuncValueOf):
+ (JSC::objectProtoFuncHasOwnProperty):
+ (JSC::objectProtoFuncIsPrototypeOf):
+ (JSC::objectProtoFuncToString):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
2016-03-08 Oliver Hunt <[email protected]>
Start moving to separated writable and executable mappings in the JIT
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (197793 => 197794)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2016-03-08 20:57:25 UTC (rev 197794)
@@ -1687,7 +1687,6 @@
A72028B61797601E0098028C /* JSCTestRunnerUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A72028B41797601E0098028C /* JSCTestRunnerUtils.cpp */; };
A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B51797601E0098028C /* JSCTestRunnerUtils.h */; settings = {ATTRIBUTES = (Private, ); }; };
A72028BA1797603D0098028C /* JSFunctionInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B91797603D0098028C /* JSFunctionInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
- A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A72700780DAC605600E548D7 /* JSNotAnObject.cpp */; };
A72701B90DADE94900E548D7 /* ExceptionHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = A72701B30DADE94900E548D7 /* ExceptionHelpers.h */; };
A7280A2811557E3000D56957 /* JSObjectRefPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = A79EDB0811531CD60019E912 /* JSObjectRefPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
A729009C17976C6000317298 /* MacroAssemblerARMv7.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */; };
@@ -3889,8 +3888,6 @@
A72028B41797601E0098028C /* JSCTestRunnerUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCTestRunnerUtils.cpp; sourceTree = "<group>"; };
A72028B51797601E0098028C /* JSCTestRunnerUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCTestRunnerUtils.h; sourceTree = "<group>"; };
A72028B91797603D0098028C /* JSFunctionInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSFunctionInlines.h; sourceTree = "<group>"; };
- A72700770DAC605600E548D7 /* JSNotAnObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSNotAnObject.h; sourceTree = "<group>"; };
- A72700780DAC605600E548D7 /* JSNotAnObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSNotAnObject.cpp; sourceTree = "<group>"; };
A72701B30DADE94900E548D7 /* ExceptionHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionHelpers.h; sourceTree = "<group>"; };
A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MacroAssemblerARMv7.cpp; sourceTree = "<group>"; };
A7299D9B17D12837005F5FF9 /* JSSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSet.cpp; sourceTree = "<group>"; };
@@ -5735,8 +5732,6 @@
E39DA4A51B7E8B7C0084F33A /* JSModuleRecord.h */,
E33E8D1A1B9013C300346B52 /* JSNativeStdFunction.cpp */,
E33E8D1B1B9013C300346B52 /* JSNativeStdFunction.h */,
- A72700780DAC605600E548D7 /* JSNotAnObject.cpp */,
- A72700770DAC605600E548D7 /* JSNotAnObject.h */,
BC22A3980E16E14800AF21C8 /* JSObject.cpp */,
BC22A3990E16E14800AF21C8 /* JSObject.h */,
0F93275E1C21EF7F00CF6564 /* JSObjectInlines.h */,
@@ -9087,7 +9082,6 @@
E39DA4A61B7E8B7C0084F33A /* JSModuleRecord.cpp in Sources */,
0FB387921BFD31A100E3AB1E /* FTLCompile.cpp in Sources */,
E33E8D1C1B9013C300346B52 /* JSNativeStdFunction.cpp in Sources */,
- A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */,
147F39D4107EC37600427A48 /* JSObject.cpp in Sources */,
1482B7E40A43076000517CFC /* JSObjectRef.cpp in Sources */,
A7F993600FD7325100A0B2D0 /* JSONObject.cpp in Sources */,
Modified: trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -149,6 +149,7 @@
// Fallback to getting at least the line and sourceURL from the exception object if it has values and the exceptionStack doesn't.
if (exception->value().isObject()) {
JSObject* exceptionObject = exception->value().toObject(exec);
+ ASSERT(exceptionObject);
int lineNumber;
int columnNumber;
String exceptionSourceURL;
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -48,7 +48,6 @@
#include "JSCInlines.h"
#include "JSLexicalEnvironment.h"
#include "JSModuleEnvironment.h"
-#include "JSNotAnObject.h"
#include "JSStackInlines.h"
#include "JSString.h"
#include "JSWithScope.h"
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -1765,6 +1765,8 @@
NativeCallFrameTracer tracer(&vm, exec);
JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
+ if (!baseObj)
+ JSValue::encode(JSValue());
bool couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, *identifier);
JSValue result = jsBoolean(couldDelete);
if (!couldDelete && exec->codeBlock()->isStrictMode())
@@ -1805,7 +1807,10 @@
{
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
- return JSValue::encode(JSValue::decode(value).toObject(exec));
+ JSObject* obj = JSValue::decode(value).toObject(exec);
+ if (!obj)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(obj);
}
char* JIT_OPERATION operationSwitchCharWithUnknownKeyType(ExecState* exec, EncodedJSValue encodedKey, size_t tableIndex)
@@ -2042,6 +2047,8 @@
return JSValue::encode(jsBoolean(false));
JSObject* base = baseValue.toObject(exec);
+ if (!base)
+ return JSValue::encode(JSValue());
return JSValue::encode(jsBoolean(base->hasPropertyGeneric(exec, asString(propertyName)->toIdentifier(exec), PropertySlot::InternalMethodType::GetOwnProperty)));
}
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -681,6 +681,7 @@
LLINT_BEGIN();
CodeBlock* codeBlock = exec->codeBlock();
JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
+ LLINT_CHECK_EXCEPTION();
bool couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
LLINT_CHECK_EXCEPTION();
if (!couldDelete && codeBlock->isStrictMode())
@@ -798,7 +799,8 @@
LLINT_BEGIN();
JSValue baseValue = LLINT_OP_C(2).jsValue();
JSObject* baseObject = baseValue.toObject(exec);
-
+ LLINT_CHECK_EXCEPTION();
+
JSValue subscript = LLINT_OP_C(3).jsValue();
bool couldDelete;
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -562,6 +562,8 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec)
{
JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObject)
+ return JSValue::encode(JSValue());
StringRecursionChecker checker(exec, thisObject);
if (JSValue earlyReturnValue = checker.earlyReturnValue())
@@ -584,6 +586,8 @@
JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
unsigned argCount = exec->argumentCount();
JSValue curArg = thisValue.toObject(exec);
+ if (!curArg)
+ return JSValue::encode(JSValue());
Checked<unsigned, RecordOverflow> finalArraySize = 0;
// We need to do species construction before geting the rest of the elements.
@@ -630,6 +634,7 @@
}
curArg = thisValue.toObject(exec);
+ ASSERT(!exec->hadException());
unsigned n = 0;
for (unsigned i = 0; ; ++i) {
if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
@@ -665,6 +670,8 @@
return JSValue::encode(asArray(thisValue)->pop(exec));
JSObject* thisObj = thisValue.toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -697,6 +704,8 @@
}
JSObject* thisObj = thisValue.toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -722,6 +731,8 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec)
{
JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObject)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObject);
if (exec->hadException())
@@ -795,6 +806,8 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec)
{
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -817,6 +830,8 @@
{
// http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -859,6 +874,8 @@
VM& vm = exec->vm();
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -950,6 +967,8 @@
// 15.4.4.13
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -974,6 +993,8 @@
{
// 15.4.4.14
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (exec->hadException())
return JSValue::encode(jsUndefined());
@@ -997,6 +1018,8 @@
{
// 15.4.4.15
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
unsigned length = getLength(exec, thisObj);
if (!length)
return JSValue::encode(jsNumber(-1));
@@ -1032,18 +1055,24 @@
EncodedJSValue JSC_HOST_CALL arrayProtoFuncValues(ExecState* exec)
{
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateValue, thisObj));
}
EncodedJSValue JSC_HOST_CALL arrayProtoFuncEntries(ExecState* exec)
{
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKeyValue, thisObj));
}
EncodedJSValue JSC_HOST_CALL arrayProtoFuncKeys(ExecState* exec)
{
JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKey, thisObj));
}
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -549,6 +549,7 @@
BEGIN();
JSValue baseValue = OP_C(2).jsValue();
JSObject* baseObject = baseValue.toObject(exec);
+ CHECK_EXCEPTION();
JSValue subscript = OP_C(3).jsValue();
@@ -606,6 +607,7 @@
{
BEGIN();
JSObject* base = OP(2).jsValue().toObject(exec);
+ CHECK_EXCEPTION();
JSValue property = OP(3).jsValue();
pc[4].u.arrayProfile->observeStructure(base->structure(vm));
ASSERT(property.isUInt32());
@@ -616,6 +618,7 @@
{
BEGIN();
JSObject* base = OP(2).jsValue().toObject(exec);
+ CHECK_EXCEPTION();
JSValue property = OP(3).jsValue();
ASSERT(property.isString());
JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(OP(4).jsValue().asCell());
@@ -628,6 +631,7 @@
{
BEGIN();
JSObject* base = OP(2).jsValue().toObject(exec);
+ CHECK_EXCEPTION();
JSValue property = OP(3).jsValue();
bool result;
if (property.isString())
@@ -656,6 +660,7 @@
RETURN(JSPropertyNameEnumerator::create(vm));
JSObject* base = baseValue.toObject(exec);
+ CHECK_EXCEPTION();
RETURN(propertyNameEnumerator(exec, base));
}
Modified: trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -34,7 +34,6 @@
#include "ErrorHandlingScope.h"
#include "Exception.h"
#include "JSGlobalObjectFunctions.h"
-#include "JSNotAnObject.h"
#include "Interpreter.h"
#include "Nodes.h"
#include "JSCInlines.h"
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -32,7 +32,6 @@
#include "JSCJSValueInlines.h"
#include "JSFunction.h"
#include "JSGlobalObject.h"
-#include "JSNotAnObject.h"
#include "NumberObject.h"
#include "StructureInlines.h"
#include <wtf/MathExtras.h>
@@ -90,7 +89,7 @@
ASSERT(isUndefinedOrNull());
VM& vm = exec->vm();
vm.throwException(exec, createNotAnObjectError(exec, *this));
- return JSNotAnObject::create(vm);
+ return nullptr;
}
JSValue JSValue::toThisSlowCase(ExecState* exec, ECMAMode ecmaMode) const
@@ -125,7 +124,7 @@
ASSERT(isUndefinedOrNull());
VM& vm = exec->vm();
vm.throwException(exec, createNotAnObjectError(exec, *this));
- return JSNotAnObject::create(vm);
+ return nullptr;
}
// ECMA 8.7.2
@@ -140,6 +139,8 @@
// Check if there are any setters or getters in the prototype chain
JSObject* obj = synthesizePrototype(exec);
+ if (UNLIKELY(!obj))
+ return;
JSValue prototype;
if (propertyName != exec->propertyNames().underscoreProto) {
for (; !obj->structure()->hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
@@ -198,8 +199,13 @@
return;
}
- if (synthesizePrototype(exec)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow))
+ JSObject* prototype = synthesizePrototype(exec);
+ if (UNLIKELY(!prototype)) {
+ ASSERT(exec->hadException());
return;
+ }
+ if (prototype->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow))
+ return;
if (shouldThrow)
throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2016-03-08 20:57:25 UTC (rev 197794)
@@ -767,6 +767,8 @@
if (isString() && asString(*this)->getStringPropertySlot(exec, propertyName, slot))
return true;
object = synthesizePrototype(exec);
+ if (UNLIKELY(!object))
+ return false;
} else
object = asObject(asCell());
@@ -788,6 +790,8 @@
if (isString() && asString(*this)->getStringPropertySlot(exec, propertyName, slot))
return slot.getValue(exec, propertyName);
object = synthesizePrototype(exec);
+ if (UNLIKELY(!object))
+ return JSValue();
} else
object = asObject(asCell());
Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -39,7 +39,6 @@
#include "JSCInlines.h"
#include "JSFunctionInlines.h"
#include "JSGlobalObject.h"
-#include "JSNotAnObject.h"
#include "Interpreter.h"
#include "ObjectConstructor.h"
#include "ObjectPrototype.h"
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -821,8 +821,12 @@
JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
- if (!thisObject)
- return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
+ if (!thisObject) {
+ JSObject* prototype = exec->thisValue().synthesizePrototype(exec);
+ if (UNLIKELY(!prototype))
+ return JSValue::encode(JSValue());
+ return JSValue::encode(prototype);
+ }
GlobalFuncProtoGetterFunctor functor(exec, thisObject);
// This can throw but it's just unneeded extra work to check for it. The return
Deleted: trunk/Source/_javascript_Core/runtime/JSNotAnObject.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/JSNotAnObject.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/JSNotAnObject.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Apple Inc. ("Apple") nor the names of
- * its contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-
-#include "config.h"
-#include "JSNotAnObject.h"
-
-#include "JSCInlines.h"
-
-namespace JSC {
-
-STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSNotAnObject);
-
-const ClassInfo JSNotAnObject::s_info = { "Object", &Base::s_info, 0, CREATE_METHOD_TABLE(JSNotAnObject) };
-
-// JSValue methods
-JSValue JSNotAnObject::defaultValue(const JSObject*, ExecState* exec, PreferredPrimitiveType)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return jsNumber(0);
-}
-
-// JSObject methods
-bool JSNotAnObject::getOwnPropertySlot(JSObject*, ExecState* exec, PropertyName, PropertySlot&)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-bool JSNotAnObject::getOwnPropertySlotByIndex(JSObject*, ExecState* exec, unsigned, PropertySlot&)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-void JSNotAnObject::put(JSCell*, ExecState* exec, PropertyName , JSValue, PutPropertySlot&)
-{
- ASSERT_UNUSED(exec, exec->hadException());
-}
-
-void JSNotAnObject::putByIndex(JSCell*, ExecState* exec, unsigned, JSValue, bool)
-{
- ASSERT_UNUSED(exec, exec->hadException());
-}
-
-bool JSNotAnObject::deleteProperty(JSCell*, ExecState* exec, PropertyName)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-bool JSNotAnObject::deletePropertyByIndex(JSCell*, ExecState* exec, unsigned)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-void JSNotAnObject::getOwnPropertyNames(JSObject*, ExecState* exec, PropertyNameArray&, EnumerationMode)
-{
- ASSERT_UNUSED(exec, exec->hadException());
-}
-
-} // namespace JSC
Deleted: trunk/Source/_javascript_Core/runtime/JSNotAnObject.h (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/JSNotAnObject.h 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/JSNotAnObject.h 2016-03-08 20:57:25 UTC (rev 197794)
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Apple Inc. ("Apple") nor the names of
- * its contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef JSNotAnObject_h
-#define JSNotAnObject_h
-
-#include "JSObject.h"
-
-namespace JSC {
-
-// This unholy class is used to allow us to avoid multiple exception checks
-// in certain SquirrelFish bytecodes -- effectively it just silently consumes
-// any operations performed on the result of a failed toObject call.
-class JSNotAnObject final : public JSNonFinalObject {
-private:
- explicit JSNotAnObject(VM& vm)
- : JSNonFinalObject(vm, vm.notAnObjectStructure.get())
- {
- }
-
-public:
- typedef JSNonFinalObject Base;
- static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
-
- static JSNotAnObject* create(VM& vm)
- {
- JSNotAnObject* object = new (NotNull, allocateCell<JSNotAnObject>(vm.heap)) JSNotAnObject(vm);
- object->finishCreation(vm);
- return object;
- }
-
- static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
- {
- return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
- }
-
- DECLARE_INFO;
-
-private:
- // JSValue methods
- static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
-
- // JSObject methods
- static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
- static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
-
- static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
- static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
-
- static bool deleteProperty(JSCell*, ExecState*, PropertyName);
- static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
-
- static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
-};
-
-} // namespace JSC
-
-#endif // JSNotAnObject_h
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -451,7 +451,11 @@
{
if (!exec->argument(0).isObject())
return throwVMError(exec, createTypeError(exec, ASCIILiteral("Properties can only be defined on Objects.")));
- return JSValue::encode(defineProperties(exec, asObject(exec->argument(0)), exec->argument(1).toObject(exec)));
+ JSObject* targetObj = asObject(exec->argument(0));
+ JSObject* props = exec->argument(1).toObject(exec);
+ if (!props)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(defineProperties(exec, targetObj, props));
}
EncodedJSValue JSC_HOST_CALL objectConstructorCreate(ExecState* exec)
Modified: trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -81,7 +81,10 @@
EncodedJSValue JSC_HOST_CALL objectProtoFuncValueOf(ExecState* exec)
{
JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
- return JSValue::encode(thisValue.toObject(exec));
+ JSObject* valueObj = thisValue.toObject(exec);
+ if (!valueObj)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(valueObj);
}
EncodedJSValue JSC_HOST_CALL objectProtoFuncHasOwnProperty(ExecState* exec)
@@ -90,13 +93,18 @@
auto propertyName = exec->argument(0).toPropertyKey(exec);
if (exec->hadException())
return JSValue::encode(jsUndefined());
- return JSValue::encode(jsBoolean(thisValue.toObject(exec)->hasOwnProperty(exec, propertyName)));
+ JSObject* thisObject = thisValue.toObject(exec);
+ if (!thisObject)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(jsBoolean(thisObject->hasOwnProperty(exec, propertyName)));
}
EncodedJSValue JSC_HOST_CALL objectProtoFuncIsPrototypeOf(ExecState* exec)
{
JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
JSObject* thisObj = thisValue.toObject(exec);
+ if (!thisObj)
+ return JSValue::encode(JSValue());
if (!exec->argument(0).isObject())
return JSValue::encode(jsBoolean(false));
@@ -265,6 +273,8 @@
if (thisValue.isUndefinedOrNull())
return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString());
JSObject* thisObject = thisValue.toObject(exec);
+ if (!thisObject)
+ return JSValue::encode(JSValue());
JSString* result = thisObject->structure(vm)->objectToStringValue();
if (!result) {
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -65,7 +65,6 @@
#include "JSInternalPromiseDeferred.h"
#include "JSLexicalEnvironment.h"
#include "JSLock.h"
-#include "JSNotAnObject.h"
#include "JSPromiseDeferred.h"
#include "JSPropertyNameEnumerator.h"
#include "JSTemplateRegistryKey.h"
@@ -215,7 +214,6 @@
structureRareDataStructure.set(*this, StructureRareData::createStructure(*this, 0, jsNull()));
terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
- notAnObjectStructure.set(*this, JSNotAnObject::createStructure(*this, 0, jsNull()));
propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));
customGetterSetterStructure.set(*this, CustomGetterSetter::createStructure(*this, 0, jsNull()));
Modified: trunk/Source/_javascript_Core/runtime/VM.h (197793 => 197794)
--- trunk/Source/_javascript_Core/runtime/VM.h 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2016-03-08 20:57:25 UTC (rev 197794)
@@ -284,7 +284,6 @@
Strong<Structure> structureRareDataStructure;
Strong<Structure> terminatedExecutionErrorStructure;
Strong<Structure> stringStructure;
- Strong<Structure> notAnObjectStructure;
Strong<Structure> propertyNameIteratorStructure;
Strong<Structure> propertyNameEnumeratorStructure;
Strong<Structure> getterSetterStructure;
Modified: trunk/Source/WebCore/ChangeLog (197793 => 197794)
--- trunk/Source/WebCore/ChangeLog 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/ChangeLog 2016-03-08 20:57:25 UTC (rev 197794)
@@ -1,3 +1,36 @@
+2016-03-08 Mark Lam <[email protected]>
+
+ synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
+ https://bugs.webkit.org/show_bug.cgi?id=155169
+
+ Reviewed by Geoffrey Garen.
+
+ No new tests because this issue is covered by existing tests when the fix for
+ https://bugs.webkit.org/show_bug.cgi?id=154865 lands. That patch is waiting for
+ this patch to land first so as to not introduce test failures.
+
+ * Modules/plugins/QuickTimePluginReplacement.mm:
+ (WebCore::QuickTimePluginReplacement::installReplacement):
+ * bindings/js/JSDeviceMotionEventCustom.cpp:
+ (WebCore::readAccelerationArgument):
+ (WebCore::readRotationRateArgument):
+ * bindings/js/JSGeolocationCustom.cpp:
+ (WebCore::createPositionOptions):
+ * bindings/js/JSHTMLCanvasElementCustom.cpp:
+ (WebCore::get3DContextAttributes):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateConstructorDefinition):
+ * bindings/scripts/test/JS/JSTestEventConstructor.cpp:
+ (WebCore::JSTestEventConstructorConstructor::construct):
+ * contentextensions/ContentExtensionParser.cpp:
+ (WebCore::ContentExtensions::getTypeFlags):
+ * html/HTMLMediaElement.cpp:
+ (WebCore::setPageScaleFactorProperty):
+ (WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
+ (WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):
+
2016-03-08 Oliver Hunt <[email protected]>
Start moving to separated writable and executable mappings in the JIT
Modified: trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm (197793 => 197794)
--- trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm 2016-03-08 20:57:25 UTC (rev 197794)
@@ -190,6 +190,7 @@
if (replacementFunction.isUndefinedOrNull())
return false;
JSC::JSObject* replacementObject = replacementFunction.toObject(exec);
+ ASSERT(!exec->hadException());
JSC::CallData callData;
JSC::CallType callType = replacementObject->methodTable()->getCallData(replacementObject, callData);
if (callType == JSC::CallType::None)
@@ -220,8 +221,10 @@
// Get the scripting interface.
value = replacement.get(exec, JSC::Identifier::fromString(exec, "scriptObject"));
- if (!exec->hadException() && !value.isUndefinedOrNull())
+ if (!exec->hadException() && !value.isUndefinedOrNull()) {
m_scriptObject = value.toObject(exec);
+ ASSERT(!exec->hadException());
+ }
if (!m_scriptObject) {
LOG(Plugins, "%p - Failed to find script object created by QuickTime plugin replacement.", this);
Modified: trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp (197793 => 197794)
--- trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -47,6 +47,7 @@
// Given the above test, this will always yield an object.
JSObject* object = value.toObject(&state);
+ ASSERT(!state.hadException());
JSValue xValue = object->get(&state, Identifier::fromString(&state, "x"));
if (state.hadException())
@@ -85,6 +86,7 @@
// Given the above test, this will always yield an object.
JSObject* object = value.toObject(&state);
+ ASSERT(!state.hadException());
JSValue alphaValue = object->get(&state, Identifier::fromString(&state, "alpha"));
if (state.hadException())
Modified: trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp (197793 => 197794)
--- trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -82,6 +82,7 @@
// Given the above test, this will always yield an object.
JSObject* object = value.toObject(exec);
+ ASSERT(!exec->hadException());
// Create the dictionary wrapper from the initializer object.
JSDictionary dictionary(exec, object);
Modified: trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp (197793 => 197794)
--- trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -51,6 +51,7 @@
return;
JSObject* initializerObject = initializerValue.toObject(&state);
+ ASSERT(!state.hadException());
JSDictionary dictionary(&state, initializerObject);
GraphicsContext3D::Attributes graphicsAttrs;
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (197793 => 197794)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-03-08 20:57:25 UTC (rev 197794)
@@ -4820,6 +4820,7 @@
if (!initializerValue.isUndefinedOrNull()) {
// Given the above test, this will always yield an object.
JSObject* initializerObject = initializerValue.toObject(state);
+ ASSERT(!state->hadException());
// Create the dictionary wrapper from the initializer object.
JSDictionary dictionary(state, initializerObject);
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp (197793 => 197794)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -88,6 +88,7 @@
if (!initializerValue.isUndefinedOrNull()) {
// Given the above test, this will always yield an object.
JSObject* initializerObject = initializerValue.toObject(state);
+ ASSERT(!state->hadException());
// Create the dictionary wrapper from the initializer object.
JSDictionary dictionary(state, initializerObject);
Modified: trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp (197793 => 197794)
--- trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -90,6 +90,7 @@
return { };
const JSObject* object = typeValue.toObject(&exec);
+ ASSERT(!exec.hadException());
if (!isJSArray(object))
return ContentExtensionError::JSONInvalidTriggerFlagsArray;
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (197793 => 197794)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -6309,6 +6309,8 @@
{
JSC::PutPropertySlot propertySlot(controllerValue);
JSC::JSObject* controllerObject = controllerValue.toObject(exec);
+ if (!controllerObject)
+ return;
controllerObject->methodTable()->put(controllerObject, exec, JSC::Identifier::fromString(exec, "pageScaleFactor"), JSC::jsNumber(pageScaleFactor), propertySlot);
}
@@ -6355,6 +6357,7 @@
argList.append(mediaControlsHostJSWrapper);
JSC::JSObject* function = functionValue.toObject(exec);
+ ASSERT(!exec->hadException());
JSC::CallData callData;
JSC::CallType callType = function->methodTable()->getCallData(function, callData);
if (callType == JSC::CallType::None)
@@ -6368,6 +6371,7 @@
// Connect the Media, MediaControllerHost, and Controller so the GC knows about their relationship
JSC::JSObject* mediaJSWrapperObject = mediaJSWrapper.toObject(exec);
+ ASSERT(!exec->hadException());
JSC::Identifier controlsHost = JSC::Identifier::fromString(&exec->vm(), "controlsHost");
ASSERT(!mediaJSWrapperObject->hasProperty(exec, controlsHost));
@@ -6449,6 +6453,7 @@
return "";
JSC::JSObject* function = functionValue.toObject(exec);
+ ASSERT(!exec->hadException());
JSC::CallData callData;
JSC::CallType callType = function->methodTable()->getCallData(function, callData);
JSC::MarkedArgumentBuffer argList;
Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp (197793 => 197794)
--- trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-03-08 20:57:25 UTC (rev 197794)
@@ -404,6 +404,11 @@
// It is expected the JS file provides a createOverlay(shadowRoot, title, subtitle) function.
JSC::JSObject* overlay = globalObject->get(exec, JSC::Identifier::fromString(exec, "createOverlay")).toObject(exec);
+ if (!overlay) {
+ ASSERT(exec->hadException());
+ exec->clearException();
+ return;
+ }
JSC::CallData callData;
JSC::CallType callType = overlay->methodTable()->getCallData(overlay, callData);
if (callType == JSC::CallType::None)
