Placate exception check validation in operationArrayIndexOfString().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 16:36:20 +0000 (16:36 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 16:36:20 +0000 (16:36 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196067
<rdar://problem/49056572>

Reviewed by Michael Saboff.

JSTests:

* stress/string-equal-exception-check.js: Added.

Source/JavaScriptCore:

* dfg/DFGOperations.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243294 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/string-equal-exception-check.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp

index 90cffb1..bc35305 100644 (file)
@@ -1,5 +1,15 @@
 2019-03-21  Mark Lam  <mark.lam@apple.com>
 
+        Placate exception check validation in operationArrayIndexOfString().
+        https://bugs.webkit.org/show_bug.cgi?id=196067
+        <rdar://problem/49056572>
+
+        Reviewed by Michael Saboff.
+
+        * stress/string-equal-exception-check.js: Added.
+
+2019-03-21  Mark Lam  <mark.lam@apple.com>
+
         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
         https://bugs.webkit.org/show_bug.cgi?id=196055
         <rdar://problem/49067448>
diff --git a/JSTests/stress/string-equal-exception-check.js b/JSTests/stress/string-equal-exception-check.js
new file mode 100644 (file)
index 0000000..6f56a69
--- /dev/null
@@ -0,0 +1,9 @@
+//@ runDefault("--forceEagerCompilation=true")
+
+// This test should not crash.
+
+[0, 1].forEach(()=>{
+    [{}, 1, 2].forEach(x => {
+        ['xy'].indexOf('xy_'.substring(0, 2));
+    });
+});
index 834b4be..c5732d1 100644 (file)
@@ -1,3 +1,13 @@
+2019-03-21  Mark Lam  <mark.lam@apple.com>
+
+        Placate exception check validation in operationArrayIndexOfString().
+        https://bugs.webkit.org/show_bug.cgi?id=196067
+        <rdar://problem/49056572>
+
+        Reviewed by Michael Saboff.
+
+        * dfg/DFGOperations.cpp:
+
 2019-03-21  Xan Lopez  <xan@igalia.com>
 
         [JSC][x86] Drop support for x87 floating point
index f542dd6..0f4cb30 100644 (file)
@@ -2538,8 +2538,10 @@ int32_t JIT_OPERATION operationArrayIndexOfString(ExecState* exec, Butterfly* bu
         auto* string = asString(value);
         if (string == searchElement)
             return index;
-        if (string->equal(exec, searchElement))
+        if (string->equal(exec, searchElement)) {
+            scope.assertNoException();
             return index;
+        }
         RETURN_IF_EXCEPTION(scope, { });
     }
     return -1;