fromCharCode is missing some exception checks
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Apr 2018 03:14:21 +0000 (03:14 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 25 Apr 2018 03:14:21 +0000 (03:14 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184952

Reviewed by Saam Barati.

JSTests:

* stress/fromCharCode-exception-check.js: Added.
(get catch):

Source/JavaScriptCore:

I also removed the pointless slow path function and moved it into the
main function.

* runtime/StringConstructor.cpp:
(JSC::stringFromCharCode):
(JSC::stringFromCharCodeSlowCase): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230980 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/fromCharCode-exception-check.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/StringConstructor.cpp

index 0ae0894..6629c69 100644 (file)
@@ -1,3 +1,13 @@
+2018-04-24  Keith Miller  <keith_miller@apple.com>
+
+        fromCharCode is missing some exception checks
+        https://bugs.webkit.org/show_bug.cgi?id=184952
+
+        Reviewed by Saam Barati.
+
+        * stress/fromCharCode-exception-check.js: Added.
+        (get catch):
+
 2018-04-24  Mark Lam  <mark.lam@apple.com>
 
         Gardening: test fix after r230863.
diff --git a/JSTests/stress/fromCharCode-exception-check.js b/JSTests/stress/fromCharCode-exception-check.js
new file mode 100644 (file)
index 0000000..328c06e
--- /dev/null
@@ -0,0 +1,8 @@
+// This shouldn't crash.
+
+try {
+    String.fromCharCode(Symbol(), new Proxy({}, { get() { } }));
+} catch (e) {
+    if (!(e instanceof TypeError) || e.message !== "Cannot convert a symbol to a number")
+        throw new Error("bad error type or message" + e);
+}
index 6001377..60f3b88 100644 (file)
@@ -1,3 +1,17 @@
+2018-04-24  Keith Miller  <keith_miller@apple.com>
+
+        fromCharCode is missing some exception checks
+        https://bugs.webkit.org/show_bug.cgi?id=184952
+
+        Reviewed by Saam Barati.
+
+        I also removed the pointless slow path function and moved it into the
+        main function.
+
+        * runtime/StringConstructor.cpp:
+        (JSC::stringFromCharCode):
+        (JSC::stringFromCharCodeSlowCase): Deleted.
+
 2018-04-24  Filip Pizlo  <fpizlo@apple.com>
 
         MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
index 56bacef..10abc76 100644 (file)
@@ -70,21 +70,27 @@ void StringConstructor::finishCreation(VM& vm, StringPrototype* stringPrototype)
 
 // ------------------------------ Functions --------------------------------
 
-static NEVER_INLINE JSValue stringFromCharCodeSlowCase(ExecState* exec)
+static EncodedJSValue JSC_HOST_CALL stringFromCharCode(ExecState* exec)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     unsigned length = exec->argumentCount();
+    if (LIKELY(length == 1)) {
+        unsigned code = exec->uncheckedArgument(0).toUInt32(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        scope.release();
+        return JSValue::encode(jsSingleCharacterString(exec, code));
+    }
+
     UChar* buf;
     auto impl = StringImpl::createUninitialized(length, buf);
-    for (unsigned i = 0; i < length; ++i)
+    for (unsigned i = 0; i < length; ++i) {
         buf[i] = static_cast<UChar>(exec->uncheckedArgument(i).toUInt32(exec));
-    return jsString(exec, WTFMove(impl));
-}
-
-static EncodedJSValue JSC_HOST_CALL stringFromCharCode(ExecState* exec)
-{
-    if (LIKELY(exec->argumentCount() == 1))
-        return JSValue::encode(jsSingleCharacterString(exec, exec->uncheckedArgument(0).toUInt32(exec)));
-    return JSValue::encode(stringFromCharCodeSlowCase(exec));
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    }
+    scope.release();
+    return JSValue::encode(jsString(exec, WTFMove(impl)));
 }
 
 JSCell* JSC_HOST_CALL stringFromCharCode(ExecState* exec, int32_t arg)