ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
authortzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Apr 2019 07:54:18 +0000 (07:54 +0000)
committertzagallo@apple.com <tzagallo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Apr 2019 07:54:18 +0000 (07:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196708
<rdar://problem/49556803>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/proxy-getter-stack-overflow.js: Added.
(const.handler.get target):
(const.handler.has):
(try.with):
(catch):

Source/JavaScriptCore:

`operationPutToScope` needs to return early if an exception is thrown while
checking if `hasProperty`.

* jit/JITOperations.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244069 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/proxy-getter-stack-overflow.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp

index c653cd2..3a7923a 100644 (file)
@@ -1,3 +1,17 @@
+2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
+
+        ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
+        https://bugs.webkit.org/show_bug.cgi?id=196708
+        <rdar://problem/49556803>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/proxy-getter-stack-overflow.js: Added.
+        (const.handler.get target):
+        (const.handler.has):
+        (try.with):
+        (catch):
+
 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] DFG should respect node's strict flag
diff --git a/JSTests/stress/proxy-getter-stack-overflow.js b/JSTests/stress/proxy-getter-stack-overflow.js
new file mode 100644 (file)
index 0000000..631f870
--- /dev/null
@@ -0,0 +1,24 @@
+//@ if $jitTests then runDefault("--useLLInt=0") else skip end
+
+const o = {};
+const handler = {
+  get(target, prop, receiver) {
+      o.__proto__ = receiver;
+  },
+  has(target, prop) {
+      o.__proto__ = undefined;
+      return 1;
+  }
+};
+
+const p = new Proxy({}, handler);
+handler.__proto__ = p;
+try {
+    with (p) {
+        a = 0
+    }
+    throw new Error("Should throw RangeError");
+} catch (error) {
+    if (error.message !== "Maximum call stack size exceeded.")
+        throw new Error("Expected stack overflow, but got: " + error);
+}
index b66e484..3f18858 100644 (file)
@@ -1,3 +1,16 @@
+2019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
+
+        ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get
+        https://bugs.webkit.org/show_bug.cgi?id=196708
+        <rdar://problem/49556803>
+
+        Reviewed by Yusuke Suzuki.
+
+        `operationPutToScope` needs to return early if an exception is thrown while
+        checking if `hasProperty`.
+
+        * jit/JITOperations.cpp:
+
 2019-04-08  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] DFG should respect node's strict flag
index b8ec4cd..1f0a2ed 100644 (file)
@@ -2372,7 +2372,7 @@ void JIT_OPERATION operationPutToScope(ExecState* exec, const Instruction* pc)
     }
 
     bool hasProperty = scope->hasProperty(exec, ident);
-    EXCEPTION_ASSERT(!throwScope.exception() || !hasProperty);
+    RETURN_IF_EXCEPTION(throwScope, void());
     if (hasProperty
         && scope->isGlobalLexicalEnvironment()
         && !isInitialization(getPutInfo.initializationMode())) {