Modified: branches/safari-612-branch/JSTests/ChangeLog (287624 => 287625)
--- branches/safari-612-branch/JSTests/ChangeLog 2022-01-05 18:20:53 UTC (rev 287624)
+++ branches/safari-612-branch/JSTests/ChangeLog 2022-01-05 18:20:56 UTC (rev 287625)
@@ -1,5 +1,40 @@
2022-01-05 Russell Epstein <repst...@apple.com>
+ Cherry-pick r286275. rdar://problem/87125258
+
+ [JSC] slice should be aware of TerminationException
+ https://bugs.webkit.org/show_bug.cgi?id=233593
+ rdar://85823844
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/slice-termination-exception.js: Added.
+ (async infiniteLoop):
+
+ Source/_javascript_Core:
+
+ Since termination exception can happen at any time, assertNoException is wrong.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286275 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-29 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] slice should be aware of TerminationException
+ https://bugs.webkit.org/show_bug.cgi?id=233593
+ rdar://85823844
+
+ Reviewed by Mark Lam.
+
+ * stress/slice-termination-exception.js: Added.
+ (async infiniteLoop):
+
+2022-01-05 Russell Epstein <repst...@apple.com>
+
Cherry-pick r286249. rdar://problem/87124979
[JSC] private name operation should use RETURN_IF_EXCEPTION
Added: branches/safari-612-branch/JSTests/stress/slice-termination-exception.js (0 => 287625)
--- branches/safari-612-branch/JSTests/stress/slice-termination-exception.js (rev 0)
+++ branches/safari-612-branch/JSTests/stress/slice-termination-exception.js 2022-01-05 18:20:56 UTC (rev 287625)
@@ -0,0 +1,9 @@
+//@ runDefault("--watchdog=100", "--watchdog-exception-ok")
+async function infiniteLoop() {
+ await undefined;
+ while (1) ;
+}
+
+infiniteLoop();
+drainMicrotasks();
+[].slice();
Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (287624 => 287625)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2022-01-05 18:20:53 UTC (rev 287624)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2022-01-05 18:20:56 UTC (rev 287625)
@@ -1,5 +1,42 @@
2022-01-05 Russell Epstein <repst...@apple.com>
+ Cherry-pick r286275. rdar://problem/87125258
+
+ [JSC] slice should be aware of TerminationException
+ https://bugs.webkit.org/show_bug.cgi?id=233593
+ rdar://85823844
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/slice-termination-exception.js: Added.
+ (async infiniteLoop):
+
+ Source/_javascript_Core:
+
+ Since termination exception can happen at any time, assertNoException is wrong.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286275 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-29 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] slice should be aware of TerminationException
+ https://bugs.webkit.org/show_bug.cgi?id=233593
+ rdar://85823844
+
+ Reviewed by Mark Lam.
+
+ Since termination exception can happen at any time, assertNoException is wrong.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+
+2022-01-05 Russell Epstein <repst...@apple.com>
+
Cherry-pick r286249. rdar://problem/87124979
[JSC] private name operation should use RETURN_IF_EXCEPTION
Modified: branches/safari-612-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (287624 => 287625)
--- branches/safari-612-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2022-01-05 18:20:53 UTC (rev 287624)
+++ branches/safari-612-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2022-01-05 18:20:56 UTC (rev 287625)
@@ -209,51 +209,49 @@
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- auto exceptionResult = [] () {
- return std::make_pair(SpeciesConstructResult::Exception, nullptr);
- };
+ constexpr std::pair<SpeciesConstructResult, JSObject*> exceptionResult { SpeciesConstructResult::Exception, nullptr };
// ECMA 9.4.2.3: https://tc39.github.io/ecma262/#sec-arrayspeciescreate
JSValue constructor = jsUndefined();
bool thisIsArray = isArray(globalObject, thisObject);
- RETURN_IF_EXCEPTION(scope, exceptionResult());
+ RETURN_IF_EXCEPTION(scope, exceptionResult);
if (LIKELY(thisIsArray)) {
// Fast path in the normal case where the user has not set an own constructor and the Array.prototype.constructor is normal.
// We need prototype check for subclasses of Array, which are Array objects but have a different prototype by default.
bool isValid = speciesWatchpointIsValid(vm, thisObject);
- scope.assertNoException();
+ RETURN_IF_EXCEPTION(scope, exceptionResult);
if (LIKELY(isValid))
- return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+ return std::pair { SpeciesConstructResult::FastPath, nullptr };
constructor = thisObject->get(globalObject, vm.propertyNames->constructor);
- RETURN_IF_EXCEPTION(scope, exceptionResult());
+ RETURN_IF_EXCEPTION(scope, exceptionResult);
if (constructor.isConstructor(vm)) {
JSObject* constructorObject = jsCast<JSObject*>(constructor);
bool isArrayConstructorFromAnotherRealm = globalObject != constructorObject->globalObject(vm)
&& constructorObject->inherits<ArrayConstructor>(vm);
if (isArrayConstructorFromAnotherRealm)
- return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+ return std::pair { SpeciesConstructResult::FastPath, nullptr };
}
if (constructor.isObject()) {
constructor = constructor.get(globalObject, vm.propertyNames->speciesSymbol);
- RETURN_IF_EXCEPTION(scope, exceptionResult());
+ RETURN_IF_EXCEPTION(scope, exceptionResult);
if (constructor.isNull())
- return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+ return std::pair { SpeciesConstructResult::FastPath, nullptr };
}
} else {
// If isArray is false, return ? ArrayCreate(length).
- return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+ return std::pair { SpeciesConstructResult::FastPath, nullptr };
}
if (constructor.isUndefined())
- return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
+ return std::pair { SpeciesConstructResult::FastPath, nullptr };
MarkedArgumentBuffer args;
args.append(jsNumber(length));
ASSERT(!args.hasOverflowed());
JSObject* newObject = construct(globalObject, constructor, args, "Species construction did not get a valid constructor");
- RETURN_IF_EXCEPTION(scope, exceptionResult());
- return std::make_pair(SpeciesConstructResult::CreatedObject, newObject);
+ RETURN_IF_EXCEPTION(scope, exceptionResult);
+ return std::pair { SpeciesConstructResult::CreatedObject, newObject };
}
JSC_DEFINE_HOST_FUNCTION(arrayProtoFuncSpeciesCreate, (JSGlobalObject* globalObject, CallFrame* callFrame))
@@ -1563,7 +1561,7 @@
// We need to check the species constructor here since checking it in the JS wrapper is too expensive for the non-optimizing tiers.
bool isValid = speciesWatchpointIsValid(vm, firstArray);
- scope.assertNoException();
+ RETURN_IF_EXCEPTION(scope, { });
if (UNLIKELY(!isValid))
return JSValue::encode(jsNull());