eval() is wrong about the LiteralParser never throwing any exceptions.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jun 2018 03:10:18 +0000 (03:10 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jun 2018 03:10:18 +0000 (03:10 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187074
<rdar://problem/41461099>

Reviewed by Saam Barati.

JSTests:

* stress/regress-187074.js: Added.

Source/JavaScriptCore:

Added the missing exception check, and removed an erroneous assertion.

* interpreter/Interpreter.cpp:
(JSC::eval):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233242 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-187074.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/interpreter/Interpreter.cpp

index 40a4f72..e4adc35 100644 (file)
@@ -1,5 +1,15 @@
 2018-06-26  Mark Lam  <mark.lam@apple.com>
 
+        eval() is wrong about the LiteralParser never throwing any exceptions.
+        https://bugs.webkit.org/show_bug.cgi?id=187074
+        <rdar://problem/41461099>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-187074.js: Added.
+
+2018-06-26  Mark Lam  <mark.lam@apple.com>
+
         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
         https://bugs.webkit.org/show_bug.cgi?id=187060
         <rdar://problem/41452767>
diff --git a/JSTests/stress/regress-187074.js b/JSTests/stress/regress-187074.js
new file mode 100644 (file)
index 0000000..78763e1
--- /dev/null
@@ -0,0 +1,20 @@
+// This test should not crash.
+var done = false;
+
+function runNearStackLimit(f) {
+    function t() {
+        try {
+            return t();
+        } catch (e) {
+            if (!done)
+                return f();
+        }
+    }
+    return t()
+}
+
+runNearStackLimit(() => {
+    done = true;
+    eval("({ __proto__ : [], __proto__: {} })")
+});
+
index 9e997cf..e97438d 100644 (file)
@@ -1,3 +1,16 @@
+2018-06-26  Mark Lam  <mark.lam@apple.com>
+
+        eval() is wrong about the LiteralParser never throwing any exceptions.
+        https://bugs.webkit.org/show_bug.cgi?id=187074
+        <rdar://problem/41461099>
+
+        Reviewed by Saam Barati.
+
+        Added the missing exception check, and removed an erroneous assertion.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+
 2018-06-26  Saam Barati  <sbarati@apple.com>
 
         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
index 4614c40..1362569 100644 (file)
@@ -154,11 +154,9 @@ JSValue eval(CallFrame* callFrame)
                     return parsedObject;
                 }
             }
+            RETURN_IF_EXCEPTION(scope, JSValue());
         }
         
-        // If the literal parser bailed, it should not have thrown exceptions.
-        scope.assertNoException();
-
         VariableEnvironment variablesUnderTDZ;
         JSScope::collectClosureVariablesUnderTDZ(callerScopeChain, variablesUnderTDZ);
         eval = DirectEvalExecutable::create(callFrame, makeSource(programSource, callerCodeBlock->source()->sourceOrigin()), callerCodeBlock->isStrictMode(), derivedContextType, isArrowFunctionContext, evalContextType, &variablesUnderTDZ);