Fix missing exception in JSValue::toWTFStringSlowCase().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Dec 2019 01:11:15 +0000 (01:11 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 13 Dec 2019 01:11:15 +0000 (01:11 +0000)
https://bugs.webkit.org/show_bug.cgi?id=205176
<rdar://problem/57871899>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js: Added.

Source/JavaScriptCore:

Also fix all the new exception check failures that fall out of change.
Also replaced some ASSERTs with EXCEPTION_ASSERT so that we can run the exception
check validation on a release build.

* dfg/DFGOperations.cpp:
* jsc.cpp:
(dumpException):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncPush):
* runtime/ExceptionHelpers.cpp:
(JSC::createError):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toWTFStringSlowCase const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253458 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/ExceptionHelpers.cpp
Source/JavaScriptCore/runtime/JSCJSValue.cpp

index bb02759..6d12192 100644 (file)
@@ -1,5 +1,15 @@
 2019-12-12  Mark Lam  <mark.lam@apple.com>
 
+        Fix missing exception in JSValue::toWTFStringSlowCase().
+        https://bugs.webkit.org/show_bug.cgi?id=205176
+        <rdar://problem/57871899>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js: Added.
+
+2019-12-12  Mark Lam  <mark.lam@apple.com>
+
         Fix missing exception check in JSON Stringifier's gap function.
         https://bugs.webkit.org/show_bug.cgi?id=205171
         <rdar://problem/57871842>
diff --git a/JSTests/stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js b/JSTests/stress/missing-exception-check-in-JSValue-toWTFStringSlowCase.js
new file mode 100644 (file)
index 0000000..cb0b618
--- /dev/null
@@ -0,0 +1,11 @@
+//@ skip if $memoryLimited
+//@ runDefault
+
+try {
+    RegExp({toString: ()=> ''.padEnd(2**31-1, 10 .toLocaleString()) });
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "Error: Out of memory")
+    throw "FAILED";
index 3e75eaf..a461ac3 100644 (file)
@@ -1,3 +1,25 @@
+2019-12-12  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception in JSValue::toWTFStringSlowCase().
+        https://bugs.webkit.org/show_bug.cgi?id=205176
+        <rdar://problem/57871899>
+
+        Reviewed by Yusuke Suzuki.
+
+        Also fix all the new exception check failures that fall out of change.
+        Also replaced some ASSERTs with EXCEPTION_ASSERT so that we can run the exception
+        check validation on a release build.
+
+        * dfg/DFGOperations.cpp:
+        * jsc.cpp:
+        (dumpException):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncPush):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createError):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toWTFStringSlowCase const):
+
 2019-12-12  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Lock-down JSGlobalObject and derived classes in IsoSubspace
index ea27c40..0dfe7be 100644 (file)
@@ -2375,7 +2375,7 @@ EncodedJSValue JIT_OPERATION operationHasGenericProperty(JSGlobalObject* globalO
         return JSValue::encode(jsBoolean(false));
 
     JSObject* base = baseValue.toObject(globalObject);
-    ASSERT(!scope.exception() || !base);
+    EXCEPTION_ASSERT(!scope.exception() || !base);
     if (!base)
         return JSValue::encode(JSValue());
     auto propertyName = asString(property)->toIdentifier(globalObject);
index fa48a35..663c34c 100644 (file)
@@ -2514,6 +2514,7 @@ static void dumpException(GlobalObject* globalObject, JSValue exception)
     } while (false)
 
     auto exceptionString = exception.toWTFString(globalObject);
+    CHECK_EXCEPTION();
     Expected<CString, UTF8ConversionError> expectedCString = exceptionString.tryGetUtf8();
     if (expectedCString)
         printf("Exception: %s\n", expectedCString.value().data());
@@ -2538,16 +2539,20 @@ static void dumpException(GlobalObject* globalObject, JSValue exception)
     JSValue stackValue = exception.get(globalObject, stackID);
     CHECK_EXCEPTION();
     
-    if (nameValue.toWTFString(globalObject) == "SyntaxError"
-        && (!fileNameValue.isUndefinedOrNull() || !lineNumberValue.isUndefinedOrNull())) {
-        printf(
-            "at %s:%s\n",
-            fileNameValue.toWTFString(globalObject).utf8().data(),
-            lineNumberValue.toWTFString(globalObject).utf8().data());
+    auto nameString = nameValue.toWTFString(globalObject);
+    CHECK_EXCEPTION();
+
+    if (nameString == "SyntaxError" && (!fileNameValue.isUndefinedOrNull() || !lineNumberValue.isUndefinedOrNull())) {
+        auto fileNameString = fileNameValue.toWTFString(globalObject);
+        CHECK_EXCEPTION();
+        auto lineNumberString = lineNumberValue.toWTFString(globalObject);
+        CHECK_EXCEPTION();
+        printf("at %s:%s\n", fileNameString.utf8().data(), lineNumberString.utf8().data());
     }
     
     if (!stackValue.isUndefinedOrNull()) {
         auto stackString = stackValue.toWTFString(globalObject);
+        CHECK_EXCEPTION();
         if (stackString.length())
             printf("%s\n", stackString.utf8().data());
     }
index 0a7ae4e..6057128 100644 (file)
@@ -889,7 +889,9 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncPush(JSGlobalObject* globalObject, Ca
             thisObj->methodTable(vm)->putByIndex(thisObj, globalObject, length + n, callFrame->uncheckedArgument(n), true);
         else {
             PutPropertySlot slot(thisObj);
-            Identifier propertyName = Identifier::fromString(vm, JSValue(static_cast<int64_t>(length) + static_cast<int64_t>(n)).toWTFString(globalObject));
+            auto string = JSValue(static_cast<int64_t>(length) + static_cast<int64_t>(n)).toWTFString(globalObject);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            Identifier propertyName = Identifier::fromString(vm, string);
             thisObj->methodTable(vm)->put(thisObj, globalObject, propertyName, callFrame->uncheckedArgument(n), slot);
         }
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
index eed4496..d71121a 100644 (file)
@@ -266,7 +266,7 @@ JSObject* createError(JSGlobalObject* globalObject, JSValue value, const String&
     auto scope = DECLARE_CATCH_SCOPE(vm);
 
     String valueDescription = errorDescriptionForValue(globalObject, value);
-    ASSERT(scope.exception() || !!valueDescription);
+    EXCEPTION_ASSERT(scope.exception() || !!valueDescription);
     if (!valueDescription) {
         scope.clearException();
         return createOutOfMemoryError(globalObject);
index ba54664..153bba6 100644 (file)
@@ -404,6 +404,7 @@ JSString* JSValue::toStringSlowCase(JSGlobalObject* globalObject, bool returnEmp
 String JSValue::toWTFStringSlowCase(JSGlobalObject* globalObject) const
 {
     VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     if (isInt32())
         return vm.numericStrings.add(asInt32());
     if (isDouble())
@@ -416,7 +417,9 @@ String JSValue::toWTFStringSlowCase(JSGlobalObject* globalObject) const
         return vm.propertyNames->nullKeyword.string();
     if (isUndefined())
         return vm.propertyNames->undefinedKeyword.string();
-    return toString(globalObject)->value(globalObject);
+    JSString* string = toString(globalObject);
+    RETURN_IF_EXCEPTION(scope, { });
+    RELEASE_AND_RETURN(scope, string->value(globalObject));
 }
 
 } // namespace JSC