Add a missing exception check.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Dec 2018 05:21:35 +0000 (05:21 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Dec 2018 05:21:35 +0000 (05:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192626
<rdar://problem/46662163>

Reviewed by Keith Miller.

JSTests:

* stress/regress-192626.js: Added.

Source/JavaScriptCore:

* runtime/ScopedArguments.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239198 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-192626.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ScopedArguments.h

index e33fa40..06b6f33 100644 (file)
@@ -1,3 +1,13 @@
+2018-12-13  Mark Lam  <mark.lam@apple.com>
+
+        Add a missing exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=192626
+        <rdar://problem/46662163>
+
+        Reviewed by Keith Miller.
+
+        * stress/regress-192626.js: Added.
+
 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
 
         [BigInt] Add ValueDiv into DFG
diff --git a/JSTests/stress/regress-192626.js b/JSTests/stress/regress-192626.js
new file mode 100644 (file)
index 0000000..ed98aa5
--- /dev/null
@@ -0,0 +1,23 @@
+var a = {};
+
+function foo() {
+    return Array.prototype.splice.apply([], a);
+}
+noInline(foo);
+
+function bar(b) {
+    with({});
+    a = arguments;
+    a.__defineGetter__("length", String.prototype.valueOf);
+    foo();
+}
+
+var exception;
+try {
+    bar();
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "TypeError: Type error")
+    throw "FAIL";
index cf999f4..05d2e4a 100644 (file)
@@ -1,3 +1,13 @@
+2018-12-13  Mark Lam  <mark.lam@apple.com>
+
+        Add a missing exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=192626
+        <rdar://problem/46662163>
+
+        Reviewed by Keith Miller.
+
+        * runtime/ScopedArguments.h:
+
 2018-12-13  Saam Barati  <sbarati@apple.com>
 
         The JSC shell should listen for memory pressure events and respond to them
index b2e80ff..a9c0b24 100644 (file)
@@ -74,8 +74,12 @@ public:
     uint32_t length(ExecState* exec) const
     {
         VM& vm = exec->vm();
-        if (UNLIKELY(storageHeader().overrodeThings))
-            return get(exec, vm.propertyNames->length).toUInt32(exec);
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        if (UNLIKELY(storageHeader().overrodeThings)) {
+            auto value = get(exec, vm.propertyNames->length);
+            RETURN_IF_EXCEPTION(scope, 0);
+            RELEASE_AND_RETURN(scope, value.toUInt32(exec));
+        }
         return internalLength();
     }