Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().

https://bugs.webkit.org/show_bug.cgi?id=189132
<rdar://problem/42513068>

Reviewed by Saam Barati.

JSTests:

* stress/regress-189132.js: Added.

Source/JavaScriptCore:

* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toPropertyKey const):
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomicString const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235491 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 698a160..e040c19 100644 (file)
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2018-08-29  Mark Lam  <mark.lam@apple.com>
+
+        Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
+        https://bugs.webkit.org/show_bug.cgi?id=189132
+        <rdar://problem/42513068>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-189132.js: Added.
+
 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 
         [WebAssembly] Parse wasm modules in a streaming fashion

diff --git a/JSTests/stress/regress-189132.js b/JSTests/stress/regress-189132.js
new file mode 100644 (file)
index 0000000..dca0287
--- /dev/null
+++ b/JSTests/stress/regress-189132.js
@@ -0,0 +1,12 @@
+try {
+    var a0 = '\ud801';
+    var a1 = [];
+    a2 = a0.padEnd(2147483644,'x');
+    a1[a2];
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "Error: Out of memory")
+    throw "FAILED";
+

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 67fb7a5..724ed19 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2018-08-29  Mark Lam  <mark.lam@apple.com>
+
+        Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
+        https://bugs.webkit.org/show_bug.cgi?id=189132
+        <rdar://problem/42513068>
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toPropertyKey const):
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeToAtomicString const):
+
 2018-08-29  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r235432 and r235436.

diff --git a/Source/JavaScriptCore/runtime/JSCJSValueInlines.h b/Source/JavaScriptCore/runtime/JSCJSValueInlines.h
index f7af868..5aa41e4 100644 (file)
--- a/Source/JavaScriptCore/runtime/JSCJSValueInlines.h
+++ b/Source/JavaScriptCore/runtime/JSCJSValueInlines.h
@@ -649,13 +649,17 @@ ALWAYS_INLINE Identifier JSValue::toPropertyKey(ExecState* exec) const
     VM& vm = exec->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (isString())
+    if (isString()) {
+        scope.release();
         return asString(*this)->toIdentifier(exec);
+    }
 
     JSValue primitive = toPrimitive(exec, PreferString);
     RETURN_IF_EXCEPTION(scope, vm.propertyNames->emptyIdentifier);
-    if (primitive.isSymbol())
+    if (primitive.isSymbol()) {
+        scope.release();
         return Identifier::fromUid(asSymbol(primitive)->privateName());
+    }
     scope.release();
     return primitive.toString(exec)->toIdentifier(exec);
 }

diff --git a/Source/JavaScriptCore/runtime/JSString.cpp b/Source/JavaScriptCore/runtime/JSString.cpp
index 092d749..d9c4234 100644 (file)
--- a/Source/JavaScriptCore/runtime/JSString.cpp
+++ b/Source/JavaScriptCore/runtime/JSString.cpp
@@ -178,8 +178,12 @@ void JSRopeString::resolveRopeInternal16NoSubstring(UChar* buffer) const
 
 void JSRopeString::resolveRopeToAtomicString(ExecState* exec) const
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     if (length() > maxLengthForOnStackResolve) {
         resolveRope(exec);
+        RETURN_IF_EXCEPTION(scope, void());
         m_value = AtomicString(m_value);
         setIs8Bit(m_value.impl()->is8Bit());
         return;