Skip to site navigation (Press enter)

[webkit-changes] [286840] trunk

commit-queue Fri, 10 Dec 2021 02:30:59 -0800

Title: [286840] trunk

Revision: 286840
Author: commit-qu...@webkit.org
Date: 2021-12-10 02:30:48 -0800 (Fri, 10 Dec 2021)

Log Message

Handle TerminationException in WebCore::ReadableStream::create()
https://bugs.webkit.org/show_bug.cgi?id=233061


Patch by Frederic Wang <fw...@igalia.com> on 2021-12-10
Reviewed by Darin Adler.

Source/WebCore:

Test: streams/readable-stream-create-after-worker-terminates-crash.html

* bindings/js/ReadableStream.cpp:
(WebCore::ReadableStream::create): Do not try immediately casting the constructor value to an
object, since it is undefined when a termination exception is thrown.

LayoutTests:

Add non-regression test.

* streams/readable-stream-create-after-worker-terminates-crash-expected.txt: Added.
* streams/readable-stream-create-after-worker-terminates-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/ReadableStream.cpp

Added Paths

trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash-expected.txt
trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (286839 => 286840)


--- trunk/LayoutTests/ChangeLog	2021-12-10 10:18:50 UTC (rev 286839)
+++ trunk/LayoutTests/ChangeLog	2021-12-10 10:30:48 UTC (rev 286840)
@@ -1,3 +1,15 @@
+2021-12-10  Frederic Wang  <fw...@igalia.com>
+
+        Handle TerminationException in WebCore::ReadableStream::create()
+        https://bugs.webkit.org/show_bug.cgi?id=233061
+
+        Reviewed by Darin Adler.
+
+        Add non-regression test.
+
+        * streams/readable-stream-create-after-worker-terminates-crash-expected.txt: Added.
+        * streams/readable-stream-create-after-worker-terminates-crash.html: Added.
+
 2021-12-09  Antoine Quint  <grao...@webkit.org>
 
         [Model] Add load and error events to distinguish resource load from model readiness

Added: trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash-expected.txt (0 => 286840)


--- trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash-expected.txt	2021-12-10 10:30:48 UTC (rev 286840)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test PASS if it does not crash.
+

Added: trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash.html (0 => 286840)


--- trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash.html	                        (rev 0)
+++ trunk/LayoutTests/streams/readable-stream-create-after-worker-terminates-crash.html	2021-12-10 10:30:48 UTC (rev 286840)
@@ -0,0 +1,19 @@
+<script>
+  async function foo() {
+    let worker = new Worker('data:,');
+    GCController.collect();
+    if (window.caches)
+      await caches.has('a');
+    new RTCRtpScriptTransform(worker, {});
+    worker.terminate();
+  }
+
+  _onload_ = () => {
+    if (window.testRunner)
+      testRunner.dumpAsText();
+    console.log('This test PASS if it does not crash.')
+    let s0 = document.createElement('script');
+    s0.src = "" (var i = 10; i; i--)(${foo.toString()})();`;
+    document.head.appendChild(s0);
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (286839 => 286840)


--- trunk/Source/WebCore/ChangeLog	2021-12-10 10:18:50 UTC (rev 286839)
+++ trunk/Source/WebCore/ChangeLog	2021-12-10 10:30:48 UTC (rev 286840)
@@ -1,3 +1,16 @@
+2021-12-10  Frederic Wang  <fw...@igalia.com>
+
+        Handle TerminationException in WebCore::ReadableStream::create()
+        https://bugs.webkit.org/show_bug.cgi?id=233061
+
+        Reviewed by Darin Adler.
+
+        Test: streams/readable-stream-create-after-worker-terminates-crash.html
+
+        * bindings/js/ReadableStream.cpp:
+        (WebCore::ReadableStream::create): Do not try immediately casting the constructor value to an
+        object, since it is undefined when a termination exception is thrown.
+
 2021-12-10  Kimmo Kinnunen  <kkinnu...@apple.com>
 
         IOSurface memory attribution is hard to use in constructors

Modified: trunk/Source/WebCore/bindings/js/ReadableStream.cpp (286839 => 286840)


--- trunk/Source/WebCore/bindings/js/ReadableStream.cpp	2021-12-10 10:18:50 UTC (rev 286839)
+++ trunk/Source/WebCore/bindings/js/ReadableStream.cpp	2021-12-10 10:30:48 UTC (rev 286840)
@@ -45,8 +45,9 @@
     auto& clientData = *static_cast<JSVMClientData*>(vm.clientData);
     auto& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(&lexicalGlobalObject);
 
-    auto* constructor = JSC::asObject(globalObject.get(&lexicalGlobalObject, clientData.builtinNames().ReadableStreamPrivateName()));
+    auto constructorValue = globalObject.get(&lexicalGlobalObject, clientData.builtinNames().ReadableStreamPrivateName());
     RETURN_IF_EXCEPTION(scope, Exception { ExistingExceptionError });
+    auto constructor = JSC::asObject(constructorValue);
 
     auto constructData = getConstructData(vm, constructor);
     ASSERT(constructData.type != CallData::Type::None);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes