We should clear m_needsOverflowCheck when hitting an exception in defineProperties...
authorrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 10 Apr 2019 18:05:00 +0000 (18:05 +0000)
committerrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 10 Apr 2019 18:05:00 +0000 (18:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196746

JSTests:

Reviewed by Yusuke Suzuki.

* stress/cyclic-define-properties.js: Added.
(foo):

Source/JavaScriptCore:

Reviewed by Yusuke Suzuki..

It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.

* runtime/ObjectConstructor.cpp:
(JSC::defineProperties):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244136 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/cyclic-define-properties.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ObjectConstructor.cpp

index e2fa36d..c6369c1 100644 (file)
@@ -1,3 +1,13 @@
+2019-04-10  Robin Morisset  <rmorisset@apple.com>
+
+        We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=196746
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/cyclic-define-properties.js: Added.
+        (foo):
+
 2019-04-09  Saam barati  <sbarati@apple.com>
 
         Clean up Int52 code and some bugs in it
diff --git a/JSTests/stress/cyclic-define-properties.js b/JSTests/stress/cyclic-define-properties.js
new file mode 100644 (file)
index 0000000..5960f70
--- /dev/null
@@ -0,0 +1,17 @@
+const x = Object.getOwnPropertyDescriptors(new Uint8Array(10));
+Object.defineProperty(x, 9, {get: foo});
+
+function foo() {
+  Object.create(()=>{}, x);
+}
+
+var hadRangeError = false;
+try {
+    foo();
+} catch (e) {
+    if (e.name != "RangeError")
+        throw "Wrong exception";
+    hadRangeError = true;
+}
+if (!hadRangeError)
+    throw "Should have raised an exception";
index c9e5ebf..57be800 100644 (file)
@@ -1,3 +1,15 @@
+2019-04-10  Robin Morisset  <rmorisset@apple.com>
+
+        We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=196746
+
+        Reviewed by Yusuke Suzuki..
+
+        It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::defineProperties):
+
 2019-04-10  Antoine Quint  <graouts@apple.com>
 
         Enable Pointer Events on watchOS
index 3339966..aa6ff22 100644 (file)
@@ -606,16 +606,18 @@ static JSValue defineProperties(ExecState* exec, JSObject* object, JSObject* pro
     size_t numProperties = propertyNames.size();
     Vector<PropertyDescriptor> descriptors;
     MarkedArgumentBuffer markBuffer;
+#define RETURN_IF_EXCEPTION_CLEARING_OVERFLOW(value) do { \
+    if (scope.exception()) { \
+        markBuffer.overflowCheckNotNeeded(); \
+        return value; \
+    } \
+} while (false)
     for (size_t i = 0; i < numProperties; i++) {
         JSValue prop = properties->get(exec, propertyNames[i]);
-        RETURN_IF_EXCEPTION(scope, { });
+        RETURN_IF_EXCEPTION_CLEARING_OVERFLOW({ });
         PropertyDescriptor descriptor;
-        bool success = toPropertyDescriptor(exec, prop, descriptor);
-        EXCEPTION_ASSERT(!scope.exception() || !success);
-        if (UNLIKELY(!success)) {
-            markBuffer.overflowCheckNotNeeded();
-            return jsNull();
-        }
+        toPropertyDescriptor(exec, prop, descriptor);
+        RETURN_IF_EXCEPTION_CLEARING_OVERFLOW({ });
         descriptors.append(descriptor);
         // Ensure we mark all the values that we're accumulating
         if (descriptor.isDataDescriptor() && descriptor.value())
@@ -628,6 +630,7 @@ static JSValue defineProperties(ExecState* exec, JSObject* object, JSObject* pro
         }
     }
     RELEASE_ASSERT(!markBuffer.hasOverflowed());
+#undef RETURN_IF_EXCEPTION_CLEARING_OVERFLOW
     for (size_t i = 0; i < numProperties; i++) {
         auto& propertyName = propertyNames[i];
         ASSERT(!propertyName.isPrivateName());