[webkit-changes] [242500] trunk/Source/JavaScriptCore

Tue, 05 Mar 2019 13:22:04 -0800

Title: [242500] trunk/Source/_javascript_Core
Revision
242500
Author
ysuz...@apple.com
Date
2019-03-05 13:20:33 -0800 (Tue, 05 Mar 2019)

Log Message

[JSC] Should check exception for JSString::toExistingAtomicString
https://bugs.webkit.org/show_bug.cgi?id=195337

Reviewed by Keith Miller, Saam Barati, and Mark Lam.

We missed the exception check for JSString::toExistingAtomicString while it can resolve
a rope and throw an OOM exception. This patch adds necessary exception checks. This patch
fixes test failures in debug build, reported in https://bugs.webkit.org/show_bug.cgi?id=194375#c93.

* dfg/DFGOperations.cpp:
* jit/JITOperations.cpp:
(JSC::getByVal):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (242499 => 242500)


--- trunk/Source/_javascript_Core/ChangeLog	2019-03-05 20:37:21 UTC (rev 242499)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-03-05 21:20:33 UTC (rev 242500)
@@ -1,3 +1,22 @@
+2019-03-05  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Should check exception for JSString::toExistingAtomicString
+        https://bugs.webkit.org/show_bug.cgi?id=195337
+
+        Reviewed by Keith Miller, Saam Barati, and Mark Lam.
+
+        We missed the exception check for JSString::toExistingAtomicString while it can resolve
+        a rope and throw an OOM exception. This patch adds necessary exception checks. This patch
+        fixes test failures in debug build, reported in https://bugs.webkit.org/show_bug.cgi?id=194375#c93.
+
+        * dfg/DFGOperations.cpp:
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::getByVal):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2019-03-04  Yusuke Suzuki  <ysuz...@apple.com>
 
         Unreviewed, build fix for debug builds after r242397

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (242499 => 242500)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2019-03-05 20:37:21 UTC (rev 242499)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2019-03-05 21:20:33 UTC (rev 242500)
@@ -689,7 +689,9 @@
         } else if (property.isString()) {
             Structure& structure = *base->structure(vm);
             if (JSCell::canUseFastGetOwnProperty(structure)) {
-                if (RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec)) {
+                RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+                if (existingAtomicString) {
                     if (JSValue result = base->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                         return JSValue::encode(result);
                 }
@@ -724,7 +726,9 @@
     } else if (property.isString()) {
         Structure& structure = *base->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            if (existingAtomicString) {
                 if (JSValue result = base->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return JSValue::encode(result);
             }
@@ -1445,7 +1449,9 @@
     if (LIKELY(baseValue.isCell() && subscript.isString())) {
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return JSValue::encode(result);
             }

Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (242499 => 242500)


--- trunk/Source/_javascript_Core/jit/JITOperations.cpp	2019-03-05 20:37:21 UTC (rev 242499)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp	2019-03-05 21:20:33 UTC (rev 242500)
@@ -1806,7 +1806,9 @@
     if (LIKELY(baseValue.isCell() && subscript.isString())) {
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, JSValue());
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get())) {
                     ASSERT(exec->bytecodeOffset());
                     if (byValInfo->stubInfo && byValInfo->cachedId.impl() != existingAtomicString)

Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (242499 => 242500)


--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2019-03-05 20:37:21 UTC (rev 242499)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2019-03-05 21:20:33 UTC (rev 242500)
@@ -942,7 +942,9 @@
     if (LIKELY(baseValue.isCell() && subscript.isString())) {
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, JSValue());
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return result;
             }

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (242499 => 242500)


--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2019-03-05 20:37:21 UTC (rev 242499)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2019-03-05 21:20:33 UTC (rev 242500)
@@ -1125,7 +1125,9 @@
     if (LIKELY(baseValue.isCell() && subscript.isString())) {
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            CHECK_EXCEPTION();
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     RETURN_PROFILED(result);
             }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to