[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because...
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Apr 2019 04:17:44 +0000 (04:17 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Apr 2019 04:17:44 +0000 (04:17 +0000)
commit67f9286458f9bfc05c16c227c3ac08da0a830f7b
treece1d8a8066740e4430d7802936e28f7533c3c7ea
parentb825cee63061bae3f0be97c1757afcdb6daa6ae9
[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
https://bugs.webkit.org/show_bug.cgi?id=196631

Reviewed by Saam Barati.

JSTests:

* stress/make-bound-function-should-not-assume-int32-length.js: Added.
(assert):
(test):
(foo):

Source/JavaScriptCore:

makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* interpreter/CallFrameInlines.h:
* runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
(JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
(JSC::DoublePredictionFuzzerAgent::getPrediction):
* runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
* runtime/JSGlobalObject.cpp:
(JSC::makeBoundFunction):
* runtime/Options.h:
* runtime/VM.cpp:
(JSC::VM::VM):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/make-bound-function-should-not-assume-int32-length.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/Sources.txt
Source/JavaScriptCore/interpreter/CallFrameInlines.h
Source/JavaScriptCore/runtime/DoublePredictionFuzzerAgent.cpp [new file with mode: 0644]
Source/JavaScriptCore/runtime/DoublePredictionFuzzerAgent.h [new file with mode: 0644]
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/Options.h
Source/JavaScriptCore/runtime/VM.cpp