JSObject::getOwnPropertyDescriptor is missing an exception check
authortzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 May 2019 20:52:04 +0000 (20:52 +0000)
committertzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 May 2019 20:52:04 +0000 (20:52 +0000)
commit1ff4b0013242e1b86d9406df960d4170cb349b2e
treef356197772ebee391563cbd5f7c1bc6ef89ae223
parent5de25b83c5e9713ca3e781d75399b5980bd99898
JSObject::getOwnPropertyDescriptor is missing an exception check
https://bugs.webkit.org/show_bug.cgi?id=197693
JSTests:

<rdar://problem/50441784>

Reviewed by Saam Barati.

* stress/proxy-spread.js: Added.
(foo):

Source/JavaScriptCore:

<rdar://problem/50441784>

Reviewed by Saam Barati.

The method table call to getOwnPropertySlot might throw, and JSObject::getOwnPropertyDescriptor
must handle the exception before calling PropertySlot::getValue, which can also throw.

* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertyDescriptor):

Source/WebCore:

Reviewed by Saam Barati.

JSObject::getOwnPropertyDescriptor assumes that getOwnPropertySlot returns false
if an exception is thrown, but that was not true for JSLocation::getOwnPropertySlotCommon.

This is already covered by http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html

* bindings/js/JSLocationCustom.cpp:
(WebCore::getOwnPropertySlotCommon):
(WebCore::JSLocation::getOwnPropertySlot):
(WebCore::JSLocation::getOwnPropertySlotByIndex):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245249 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/proxy-spread.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSLocationCustom.cpp