Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fd52332f106c9ee6dafc2efbd2a770608a0c6b61
https://github.com/WebKit/WebKit/commit/fd52332f106c9ee6dafc2efbd2a770608a0c6b61
Author: Chris Dumez <[email protected]>
Date: 2026-06-14 (Sun, 14 Jun 2026)
Changed paths:
A
LayoutTests/fast/dom/default-toJSON-custom-getter-exception-check-expected.txt
A LayoutTests/fast/dom/default-toJSON-custom-getter-exception-check.html
M Source/WebCore/CMakeLists.txt
M Source/WebCore/WebCore.xcodeproj/project.pbxproj
A Source/WebCore/bindings/js/JSMallocStatisticsCustom.cpp
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
M Source/WebCore/bindings/scripts/test/DOMWindowConstructors.idl
M Source/WebCore/bindings/scripts/test/JS/JSDOMWindow.cpp
M
Source/WebCore/bindings/scripts/test/JS/JSDOMWindowConstructorAttributes.cpp
A
Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONCustomGetter.cpp
A Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONCustomGetter.h
M Source/WebCore/bindings/scripts/test/SupplementalDependencies.dep
A Source/WebCore/bindings/scripts/test/TestDefaultToJSONCustomGetter.idl
M Source/WebCore/testing/MallocStatistics.idl
Log Message:
-----------
Default toJSON() is missing an exception check after a custom getter
https://bugs.webkit.org/show_bug.cgi?id=316967
Reviewed by Darin Adler.
When an interface has a [Default] object toJSON() and a [Custom]/[CustomGetter]
attribute of a JSON type, GenerateDefaultToJSONOperationDefinition emitted the
custom getter call without a following RETURN_IF_EXCEPTION before putDirect().
$mayThrowException was only set on the non-custom getter path, so for a custom
getter the generated toJSON() would, if the getter threw, call
result->putDirect() with an empty JSValue -- tripping ASSERT(value) in
JSObject::validatePutOwnDataProperty() in debug builds -- and then run the next
attribute getter with a pending exception before finally bailing.
Fix this by setting $mayThrowException = 1 in the custom getter branch, so the
generated code checks for an exception after invoking the custom getter, just
like the non-custom path.
PaymentResponse is the only shipping interface affected: it has [Default]
toJSON() and a [CustomGetter] object details attribute. In practice it cannot
be made to throw from script, so the bug is latent there and there is no
PaymentResponse-specific test: details is not deserialized from a
SerializedScriptValue but built by ApplePayPaymentHandler::didAuthorizePayment()
via toJSDictionary(applePayPayment), and that dictionary conversion never throws
(its only non-string member, the JSON-typed paymentData, is converted with
JSC::JSONParse, which returns an empty value rather than throwing on bad input).
All other interfaces with [Default] toJSON() have no custom getters.
To exercise the fix at runtime, MallocStatistics (a test-only interface
reachable
via internals.mallocStatistics()) gains a [Default] toJSON() and a
[CustomGetter]
attribute whose getter always throws; calling toJSON() crashed debug builds
before this fix. A binding generator test is also added.
Test: fast/dom/default-toJSON-custom-getter-exception-check.html
*
LayoutTests/fast/dom/default-toJSON-custom-getter-exception-check-expected.txt:
Added.
* LayoutTests/fast/dom/default-toJSON-custom-getter-exception-check.html: Added.
* Source/WebCore/Sources.txt:
* Source/WebCore/bindings/js/JSMallocStatisticsCustom.cpp: Added.
(WebCore::JSMallocStatistics::throwingValueForToJSON const):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GenerateDefaultToJSONOperationDefinition):
* Source/WebCore/bindings/scripts/test/DOMWindowConstructors.idl:
* Source/WebCore/bindings/scripts/test/JS/JSDOMWindow.cpp:
(WebCore::JSDOMWindowDOMConstructor::prototypeForStructure):
(WebCore::jsDOMWindow_TestDefaultToJSONCustomGetterConstructorGetter):
(WebCore::JSC_DEFINE_CUSTOM_GETTER):
* Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONCustomGetter.cpp:
Added.
(WebCore::JSTestDefaultToJSONCustomGetterDOMConstructor::prototypeForStructure):
(WebCore::JSTestDefaultToJSONCustomGetterDOMConstructor::initializeProperties):
(WebCore::JSTestDefaultToJSONCustomGetterPrototype::createStructure):
(WebCore::JSTestDefaultToJSONCustomGetterPrototype::finishCreation):
(WebCore::JSTestDefaultToJSONCustomGetter::JSTestDefaultToJSONCustomGetter):
(WebCore::JSTestDefaultToJSONCustomGetter::create):
(WebCore::JSTestDefaultToJSONCustomGetter::createStructure):
(WebCore::JSTestDefaultToJSONCustomGetter::createPrototype):
(WebCore::JSTestDefaultToJSONCustomGetter::prototype):
(WebCore::JSTestDefaultToJSONCustomGetter::getConstructor):
(WebCore::JSTestDefaultToJSONCustomGetter::destroy):
(WebCore::JSC_DEFINE_CUSTOM_GETTER):
(WebCore::jsTestDefaultToJSONCustomGetter_firstStringAttributeGetter):
(WebCore::setJSTestDefaultToJSONCustomGetter_firstStringAttributeSetter):
(WebCore::JSC_DEFINE_CUSTOM_SETTER):
(WebCore::jsTestDefaultToJSONCustomGetter_customGetterAttributeGetter):
(WebCore::jsTestDefaultToJSONCustomGetter_secondLongAttributeGetter):
(WebCore::setJSTestDefaultToJSONCustomGetter_secondLongAttributeSetter):
(WebCore::jsTestDefaultToJSONCustomGetterPrototypeFunction_toJSONBody):
(WebCore::JSC_DEFINE_HOST_FUNCTION):
(WebCore::JSTestDefaultToJSONCustomGetter::subspaceForImpl):
(WebCore::JSTestDefaultToJSONCustomGetter::analyzeHeap):
(WebCore::JSTestDefaultToJSONCustomGetterOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestDefaultToJSONCustomGetterOwner::finalize):
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
(WebCore::toJS):
(WebCore::JSTestDefaultToJSONCustomGetter::toWrapped):
* Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONCustomGetter.h:
Added.
(WebCore::JSTestDefaultToJSONCustomGetter::subspaceFor):
(WebCore::wrapperOwner):
(WebCore::wrapperKey):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/SupplementalDependencies.dep:
* Source/WebCore/bindings/scripts/test/TestDefaultToJSONCustomGetter.idl: Added.
* Source/WebCore/testing/MallocStatistics.idl:
Canonical link: https://commits.webkit.org/315195@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
