Missing a ThrowScope release in JSObject::toString().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Mar 2019 17:36:48 +0000 (17:36 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Mar 2019 17:36:48 +0000 (17:36 +0000)
https://bugs.webkit.org/show_bug.cgi?id=195893
<rdar://problem/48970986>

Reviewed by Michael Saboff.

JSTests:

* stress/to-string-exception-check-release.js: Added.

Source/JavaScriptCore:

Placate the validator with a RELEASE_AND_RETURN().

* runtime/JSObject.cpp:
(JSC::JSObject::toString const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243079 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/to-string-exception-check-release.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp

index caef4ff..1707a06 100644 (file)
@@ -1,5 +1,15 @@
 2019-03-18  Mark Lam  <mark.lam@apple.com>
 
+        Missing a ThrowScope release in JSObject::toString().
+        https://bugs.webkit.org/show_bug.cgi?id=195893
+        <rdar://problem/48970986>
+
+        Reviewed by Michael Saboff.
+
+        * stress/to-string-exception-check-release.js: Added.
+
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
         Structure::flattenDictionary() should clear unused property slots.
         https://bugs.webkit.org/show_bug.cgi?id=195871
         <rdar://problem/48959497>
diff --git a/JSTests/stress/to-string-exception-check-release.js b/JSTests/stress/to-string-exception-check-release.js
new file mode 100644 (file)
index 0000000..d35cfbb
--- /dev/null
@@ -0,0 +1,5 @@
+// This test should not fail exception check validation.
+
+let s = new String();
+s.toString = ()=>{}
+JSON.stringify(s);
index e869997..459ef3c 100644 (file)
@@ -1,5 +1,18 @@
 2019-03-18  Mark Lam  <mark.lam@apple.com>
 
+        Missing a ThrowScope release in JSObject::toString().
+        https://bugs.webkit.org/show_bug.cgi?id=195893
+        <rdar://problem/48970986>
+
+        Reviewed by Michael Saboff.
+
+        Placate the validator with a RELEASE_AND_RETURN().
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::toString const):
+
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
         Structure::flattenDictionary() should clear unused property slots.
         https://bugs.webkit.org/show_bug.cgi?id=195871
         <rdar://problem/48959497>
index cd8f535..3e8f6e0 100644 (file)
@@ -2435,7 +2435,7 @@ JSString* JSObject::toString(ExecState* exec) const
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue primitive = toPrimitive(exec, PreferString);
     RETURN_IF_EXCEPTION(scope, jsEmptyString(exec));
-    return primitive.toString(exec);
+    RELEASE_AND_RETURN(scope, primitive.toString(exec));
 }
 
 JSValue JSObject::toThis(JSCell* cell, ExecState*, ECMAMode)