[JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 23:29:48 +0000 (23:29 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 23:29:48 +0000 (23:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196574

Reviewed by Saam Barati.

JSTests:

* stress/string-index-of-exception-check.js: Added.
(blurType):
(1.forEach):

Source/JavaScriptCore:

This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.

* dfg/DFGOperations.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243835 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/string-index-of-exception-check.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp

index 4d87a46..975e830 100644 (file)
@@ -1,3 +1,14 @@
+2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
+        https://bugs.webkit.org/show_bug.cgi?id=196574
+
+        Reviewed by Saam Barati.
+
+        * stress/string-index-of-exception-check.js: Added.
+        (blurType):
+        (1.forEach):
+
 2019-03-29  Tadeu Zagallo  <tzagallo@apple.com>
 
         Assertion failed in JSC::createError
diff --git a/JSTests/stress/string-index-of-exception-check.js b/JSTests/stress/string-index-of-exception-check.js
new file mode 100644 (file)
index 0000000..04f318f
--- /dev/null
@@ -0,0 +1,18 @@
+//@ runDefault("--forceEagerCompilation=true")
+
+// This test should not crash.
+
+var count = 0;
+function blurType(value)
+{
+    if ((count++) & 0x1)
+        return {};
+    return value;
+}
+noInline(blurType);
+
+[0, 1].forEach(()=>{
+    [{}, 1, 2].forEach(x => {
+        ['xy'].indexOf(blurType('xy_'.substring(0, 2)));
+    });
+});
index 80fba1b..513c12a 100644 (file)
@@ -1,3 +1,14 @@
+2019-04-03  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous
+        https://bugs.webkit.org/show_bug.cgi?id=196574
+
+        Reviewed by Saam Barati.
+
+        This patch adds missing exception check in operationArrayIndexOfValueInt32OrContiguous.
+
+        * dfg/DFGOperations.cpp:
+
 2019-04-03  Don Olmstead  <don.olmstead@sony.com>
 
         [CMake][WTF] Mirror XCode header directories
index 34aea7c..dd2854b 100644 (file)
@@ -2561,9 +2561,10 @@ int32_t JIT_OPERATION operationArrayIndexOfValueInt32OrContiguous(ExecState* exe
         JSValue value = data[index].get();
         if (!value)
             continue;
-        if (JSValue::strictEqual(exec, searchElement, value))
-            return index;
+        bool isEqual = JSValue::strictEqual(exec, searchElement, value);
         RETURN_IF_EXCEPTION(scope, { });
+        if (isEqual)
+            return index;
     }
     return -1;
 }