Title: [263292] trunk/Source/_javascript_Core
- Revision
- 263292
- Author
- mark....@apple.com
- Date
- 2020-06-19 15:40:26 -0700 (Fri, 19 Jun 2020)
Log Message
toString of String doesn't check integrity of structureID in one path.
https://bugs.webkit.org/show_bug.cgi?id=213338
Reviewed by Saam Barati.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncToString):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (263291 => 263292)
--- trunk/Source/_javascript_Core/ChangeLog 2020-06-19 22:22:19 UTC (rev 263291)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-06-19 22:40:26 UTC (rev 263292)
@@ -1,3 +1,13 @@
+2020-06-19 Mark Lam <mark....@apple.com>
+
+ toString of String doesn't check integrity of structureID in one path.
+ https://bugs.webkit.org/show_bug.cgi?id=213338
+
+ Reviewed by Saam Barati.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncToString):
+
2020-06-19 Saam Barati <sbar...@apple.com>
Have a memory monitor thread in jsc shell when running tests using --memory-limited
Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (263291 => 263292)
--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2020-06-19 22:22:19 UTC (rev 263291)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp 2020-06-19 22:40:26 UTC (rev 263292)
@@ -958,8 +958,10 @@
JSValue thisValue = callFrame->thisValue();
// Also used for valueOf.
- if (thisValue.isString())
+ if (thisValue.isString()) {
+ Integrity::auditStructureID(vm, thisValue.asCell()->structureID());
return JSValue::encode(thisValue);
+ }
auto* stringObject = jsDynamicCast<StringObject*>(vm, thisValue);
if (!stringObject)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
