Function object should convert params to string before throw a parsing error
authoryusukesuzuki@slowstart.org <yusukesuzuki@slowstart.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 1 Sep 2018 08:03:43 +0000 (08:03 +0000)
committeryusukesuzuki@slowstart.org <yusukesuzuki@slowstart.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 1 Sep 2018 08:03:43 +0000 (08:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=188874

Reviewed by Darin Adler.

JSTests:

* stress/function-body-to-string-before-parameter-syntax-check.js: Added.
(shouldThrow):

Source/JavaScriptCore:

ToString operation onto the `body` of the Function constructor should be performed
before checking syntax correctness of the parameters.

* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235582 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/function-body-to-string-before-parameter-syntax-check.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/FunctionConstructor.cpp

index 613d700..55e27c8 100644 (file)
@@ -1,3 +1,13 @@
+2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        Function object should convert params to string before throw a parsing error
+        https://bugs.webkit.org/show_bug.cgi?id=188874
+
+        Reviewed by Darin Adler.
+
+        * stress/function-body-to-string-before-parameter-syntax-check.js: Added.
+        (shouldThrow):
+
 2018-08-31  Mark Lam  <mark.lam@apple.com>
 
         Fix exception check accounting in constructJSWebAssemblyCompileError().
diff --git a/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js b/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js
new file mode 100644 (file)
index 0000000..7203b3c
--- /dev/null
@@ -0,0 +1,60 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function shouldThrow(func, errorMessage) {
+    var errorThrown = false;
+    var error = null;
+    try {
+        func();
+    } catch (e) {
+        errorThrown = true;
+        error = e;
+    }
+    if (!errorThrown)
+        throw new Error('not thrown');
+    if (String(error) !== errorMessage)
+        throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldThrow(() => {
+    Function("@", { toString() { throw 42; } })
+}, `42`);
+
+var counter = 0;
+class Parameter {
+    constructor(index)
+    {
+        this.index = index;
+    }
+
+    toString() {
+        shouldBe(this.index, counter);
+        counter++;
+        return `x${this.index}`;
+    }
+};
+
+class Body {
+    constructor(index)
+    {
+        this.index = index;
+    }
+
+    toString() {
+        shouldBe(this.index, counter);
+        counter++;
+        return `42`;
+    }
+};
+
+var parameters = [];
+for (var i = 0; i < 50; ++i) {
+    parameters.push(new Parameter(parameters.length));
+    var args = parameters.slice();
+    args.push(new Body(args.length));
+    counter = 0;
+    Function.apply(this, args);
+    shouldBe(counter, args.length);
+}
index 4d5e2e3..18d19d6 100644 (file)
@@ -1,3 +1,16 @@
+2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        Function object should convert params to string before throw a parsing error
+        https://bugs.webkit.org/show_bug.cgi?id=188874
+
+        Reviewed by Darin Adler.
+
+        ToString operation onto the `body` of the Function constructor should be performed
+        before checking syntax correctness of the parameters.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+
 2018-08-31  Mark Lam  <mark.lam@apple.com>
 
         Fix exception check accounting in constructJSWebAssemblyCompileError().
index 6035dca..fc30fcf 100644 (file)
@@ -139,6 +139,8 @@ JSObject* constructFunctionSkippingEvalEnabledCheck(
             RETURN_IF_EXCEPTION(scope, nullptr);
             parameterBuilder.append(viewWithString.view);
         }
+        auto body = args.at(args.size() - 1).toWTFString(exec);
+        RETURN_IF_EXCEPTION(scope, nullptr);
 
         {
             // The spec mandates that the parameters parse as a valid parameter list
@@ -155,8 +157,6 @@ JSObject* constructFunctionSkippingEvalEnabledCheck(
 
         builder.append(parameterBuilder);
         builder.appendLiteral(") {\n");
-        auto body = args.at(args.size() - 1).toWTFString(exec);
-        RETURN_IF_EXCEPTION(scope, nullptr);
         checkBody(body);
         RETURN_IF_EXCEPTION(scope, nullptr);
         builder.append(body);