synthesizePrototype() and friends need to be followed by exception checks (or equival...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 20:57:25 +0000 (20:57 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 20:57:25 +0000 (20:57 +0000)
commitef3ae4423c910acea67cc3a60d68079ace75c665
treee88f3ec20a55ffde974973ba3ea06cc30fc73dd7
parent37a8fa52a4d72c2d44ffaa618e89ca1c7d7072c7
synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
https://bugs.webkit.org/show_bug.cgi?id=155169

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

With the exception checks, we may end up throwing new exceptions over an existing
one that has been thrown but not handled yet, thereby obscuring it.  It may also
mean that the VM will continue running on potentially unstable state, which may
have undesirable consequences.

I first observed this in some failed assertion while running tests on a patch for
https://bugs.webkit.org/show_bug.cgi?id=154865.

Performance is neutral with this patch (tested on x86_64).

1. Deleted JSNotAnObject, and removed all uses of it.

2. Added exception checks, when needed, following calls to synthesizePrototype()
   and JSValue::toObject().

   The cases that do not need an exception check are the ones that already ensures
   that JSValue::toObject() is only called on a value that is convertible to an
   object.  In those cases, I added an assertion that no exception was thrown
   after the call.

* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStackFromException):
* interpreter/Interpreter.cpp:
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::arrayProtoFuncValues):
(JSC::arrayProtoFuncEntries):
(JSC::arrayProtoFuncKeys):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/ExceptionHelpers.cpp:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toObjectSlowCase):
(JSC::JSValue::toThisSlowCase):
(JSC::JSValue::synthesizePrototype):
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::getPropertySlot):
(JSC::JSValue::get):
* runtime/JSFunction.cpp:
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
* runtime/JSNotAnObject.cpp: Removed.
* runtime/JSNotAnObject.h: Removed.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorDefineProperties):
(JSC::objectConstructorCreate):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncToString):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:

Source/WebCore:

No new tests because this issue is covered by existing tests when the fix for
https://bugs.webkit.org/show_bug.cgi?id=154865 lands.  That patch is waiting for
this patch to land first so as to not introduce test failures.

* Modules/plugins/QuickTimePluginReplacement.mm:
(WebCore::QuickTimePluginReplacement::installReplacement):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::readAccelerationArgument):
(WebCore::readRotationRateArgument):
* bindings/js/JSGeolocationCustom.cpp:
(WebCore::createPositionOptions):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::get3DContextAttributes):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateConstructorDefinition):
* bindings/scripts/test/JS/JSTestEventConstructor.cpp:
(WebCore::JSTestEventConstructorConstructor::construct):
* contentextensions/ContentExtensionParser.cpp:
(WebCore::ContentExtensions::getTypeFlags):
* html/HTMLMediaElement.cpp:
(WebCore::setPageScaleFactorProperty):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197794 268f45cc-cd09-0410-ab3c-d52691b4dbfc
30 files changed:
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp
Source/JavaScriptCore/interpreter/Interpreter.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/ExceptionHelpers.cpp
Source/JavaScriptCore/runtime/JSCJSValue.cpp
Source/JavaScriptCore/runtime/JSCJSValueInlines.h
Source/JavaScriptCore/runtime/JSFunction.cpp
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
Source/JavaScriptCore/runtime/JSNotAnObject.cpp [deleted file]
Source/JavaScriptCore/runtime/JSNotAnObject.h [deleted file]
Source/JavaScriptCore/runtime/ObjectConstructor.cpp
Source/JavaScriptCore/runtime/ObjectPrototype.cpp
Source/JavaScriptCore/runtime/VM.cpp
Source/JavaScriptCore/runtime/VM.h
Source/WebCore/ChangeLog
Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm
Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp
Source/WebCore/bindings/js/JSGeolocationCustom.cpp
Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp
Source/WebCore/contentextensions/ContentExtensionParser.cpp
Source/WebCore/html/HTMLMediaElement.cpp
Source/WebCore/html/HTMLPlugInImageElement.cpp