Changeset 197794 in webkit

Timestamp:

Mar 8, 2016, 12:57:25 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
​https://bugs.webkit.org/show_bug.cgi?id=155169

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

With the exception checks, we may end up throwing new exceptions over an existing
one that has been thrown but not handled yet, thereby obscuring it. It may also
mean that the VM will continue running on potentially unstable state, which may
have undesirable consequences.

I first observed this in some failed assertion while running tests on a patch for
​https://bugs.webkit.org/show_bug.cgi?id=154865.

Performance is neutral with this patch (tested on x86_64).

1. Deleted JSNotAnObject, and removed all uses of it.

2. Added exception checks, when needed, following calls to synthesizePrototype() and JSValue::toObject().

The cases that do not need an exception check are the ones that already ensures
that JSValue::toObject() is only called on a value that is convertible to an
object. In those cases, I added an assertion that no exception was thrown
after the call.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• inspector/ScriptCallStackFactory.cpp:

(Inspector::createScriptCallStackFromException):

• interpreter/Interpreter.cpp:
• jit/JITOperations.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::arrayProtoFuncValues):
(JSC::arrayProtoFuncEntries):
(JSC::arrayProtoFuncKeys):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/ExceptionHelpers.cpp:
• runtime/JSCJSValue.cpp:

(JSC::JSValue::toObjectSlowCase):
(JSC::JSValue::toThisSlowCase):
(JSC::JSValue::synthesizePrototype):
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):

• runtime/JSCJSValueInlines.h:

(JSC::JSValue::getPropertySlot):
(JSC::JSValue::get):

• runtime/JSFunction.cpp:
• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncProtoGetter):

• runtime/JSNotAnObject.cpp: Removed.
• runtime/JSNotAnObject.h: Removed.
• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorDefineProperties):
(JSC::objectConstructorCreate):

• runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncToString):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Source/WebCore:

No new tests because this issue is covered by existing tests when the fix for
​https://bugs.webkit.org/show_bug.cgi?id=154865 lands. That patch is waiting for
this patch to land first so as to not introduce test failures.

• Modules/plugins/QuickTimePluginReplacement.mm:

(WebCore::QuickTimePluginReplacement::installReplacement):

• bindings/js/JSDeviceMotionEventCustom.cpp:

(WebCore::readAccelerationArgument):
(WebCore::readRotationRateArgument):

• bindings/js/JSGeolocationCustom.cpp:

(WebCore::createPositionOptions):

• bindings/js/JSHTMLCanvasElementCustom.cpp:

(WebCore::get3DContextAttributes):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateConstructorDefinition):

• bindings/scripts/test/JS/JSTestEventConstructor.cpp:

(WebCore::JSTestEventConstructorConstructor::construct):

• contentextensions/ContentExtensionParser.cpp:

(WebCore::ContentExtensions::getTypeFlags):

• html/HTMLMediaElement.cpp:

(WebCore::setPageScaleFactorProperty):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):

• html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):

Location:

trunk/Source

Files:

• JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• JavaScriptCore/inspector/ScriptCallStackFactory.cpp (modified) (1 diff)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITOperations.cpp (modified) (3 diffs)
• JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (15 diffs)
• JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (5 diffs)
• JavaScriptCore/runtime/ExceptionHelpers.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSCJSValue.cpp (modified) (5 diffs)
• JavaScriptCore/runtime/JSCJSValueInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSNotAnObject.cpp (deleted)
• JavaScriptCore/runtime/JSNotAnObject.h (deleted)
• JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ObjectPrototype.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/VM.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/VM.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/Modules/plugins/QuickTimePluginReplacement.mm (modified) (2 diffs)
• WebCore/bindings/js/JSDeviceMotionEventCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSGeolocationCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp (modified) (1 diff)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp (modified) (1 diff)
• WebCore/contentextensions/ContentExtensionParser.cpp (modified) (1 diff)
• WebCore/html/HTMLMediaElement.cpp (modified) (4 diffs)
• WebCore/html/HTMLPlugInImageElement.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt ¶

@@ -710 +710 @@
     runtime/JSModuleRecord.cpp
     runtime/JSNativeStdFunction.cpp
-    runtime/JSNotAnObject.cpp
     runtime/JSONObject.cpp
     runtime/JSObject.cpp

trunk/Source/JavaScriptCore/ChangeLog ¶

@@ +1 @@
+2016-03-08  Mark Lam  <mark.lam@apple.com>
+
+        synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
+        https://bugs.webkit.org/show_bug.cgi?id=155169
+
+        Reviewed by Geoffrey Garen.
+
+        With the exception checks, we may end up throwing new exceptions over an existing
+        one that has been thrown but not handled yet, thereby obscuring it.  It may also
+        mean that the VM will continue running on potentially unstable state, which may
+        have undesirable consequences.
+
+        I first observed this in some failed assertion while running tests on a patch for
+        https://bugs.webkit.org/show_bug.cgi?id=154865.
+
+        Performance is neutral with this patch (tested on x86_64).
+
+        1. Deleted JSNotAnObject, and removed all uses of it.
+
+        2. Added exception checks, when needed, following calls to synthesizePrototype()
+           and JSValue::toObject().
+
+           The cases that do not need an exception check are the ones that already ensures
+           that JSValue::toObject() is only called on a value that is convertible to an
+           object.  In those cases, I added an assertion that no exception was thrown
+           after the call.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::createScriptCallStackFromException):
+        * interpreter/Interpreter.cpp:
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncJoin):
+        (JSC::arrayProtoFuncConcat):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+        (JSC::arrayProtoFuncValues):
+        (JSC::arrayProtoFuncEntries):
+        (JSC::arrayProtoFuncKeys):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/ExceptionHelpers.cpp:
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toObjectSlowCase):
+        (JSC::JSValue::toThisSlowCase):
+        (JSC::JSValue::synthesizePrototype):
+        (JSC::JSValue::putToPrimitive):
+        (JSC::JSValue::putToPrimitiveByIndex):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::getPropertySlot):
+        (JSC::JSValue::get):
+        * runtime/JSFunction.cpp:
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncProtoGetter):
+        * runtime/JSNotAnObject.cpp: Removed.
+        * runtime/JSNotAnObject.h: Removed.
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorDefineProperties):
+        (JSC::objectConstructorCreate):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncValueOf):
+        (JSC::objectProtoFuncHasOwnProperty):
+        (JSC::objectProtoFuncIsPrototypeOf):
+        (JSC::objectProtoFuncToString):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
 2016-03-08  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj ¶

@@ -1688 +1688 @@
                 A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B51797601E0098028C /* JSCTestRunnerUtils.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A72028BA1797603D0098028C /* JSFunctionInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B91797603D0098028C /* JSFunctionInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A72700780DAC605600E548D7 /* JSNotAnObject.cpp */; };
                 A72701B90DADE94900E548D7 /* ExceptionHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = A72701B30DADE94900E548D7 /* ExceptionHelpers.h */; };
                 A7280A2811557E3000D56957 /* JSObjectRefPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = A79EDB0811531CD60019E912 /* JSObjectRefPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -3890 +3889 @@
                 A72028B51797601E0098028C /* JSCTestRunnerUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCTestRunnerUtils.h; sourceTree = "<group>"; };
                 A72028B91797603D0098028C /* JSFunctionInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSFunctionInlines.h; sourceTree = "<group>"; };
-                A72700770DAC605600E548D7 /* JSNotAnObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSNotAnObject.h; sourceTree = "<group>"; };
-                A72700780DAC605600E548D7 /* JSNotAnObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSNotAnObject.cpp; sourceTree = "<group>"; };
                 A72701B30DADE94900E548D7 /* ExceptionHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionHelpers.h; sourceTree = "<group>"; };
                 A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MacroAssemblerARMv7.cpp; sourceTree = "<group>"; };
@@ -5736 +5733 @@
                                 E33E8D1A1B9013C300346B52 /* JSNativeStdFunction.cpp */,
                                 E33E8D1B1B9013C300346B52 /* JSNativeStdFunction.h */,
-                                A72700780DAC605600E548D7 /* JSNotAnObject.cpp */,
-                                A72700770DAC605600E548D7 /* JSNotAnObject.h */,
                                 BC22A3980E16E14800AF21C8 /* JSObject.cpp */,
                                 BC22A3990E16E14800AF21C8 /* JSObject.h */,
@@ -9088 +9083 @@
                                 0FB387921BFD31A100E3AB1E /* FTLCompile.cpp in Sources */,
                                 E33E8D1C1B9013C300346B52 /* JSNativeStdFunction.cpp in Sources */,
-                                A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */,
                                 147F39D4107EC37600427A48 /* JSObject.cpp in Sources */,
                                 1482B7E40A43076000517CFC /* JSObjectRef.cpp in Sources */,

trunk/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp ¶

@@ -150 +150 @@
     if (exception->value().isObject()) {
         JSObject* exceptionObject = exception->value().toObject(exec);
+        ASSERT(exceptionObject);
         int lineNumber;
         int columnNumber;

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp ¶

@@ -49 +49 @@
 #include "JSLexicalEnvironment.h"
 #include "JSModuleEnvironment.h"
-#include "JSNotAnObject.h"
 #include "JSStackInlines.h"
 #include "JSString.h"

trunk/Source/JavaScriptCore/jit/JITOperations.cpp ¶

@@ -1766 +1766 @@
 
     JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
+    if (!baseObj)
+        JSValue::encode(JSValue());
     bool couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, *identifier);
     JSValue result = jsBoolean(couldDelete);
@@ -1806 +1808 @@
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
-    return JSValue::encode(JSValue::decode(value).toObject(exec));
+    JSObject* obj = JSValue::decode(value).toObject(exec);
+    if (!obj)
+        return JSValue::encode(JSValue());
+    return JSValue::encode(obj);
 }
 
@@ -2043 +2048 @@
 
     JSObject* base = baseValue.toObject(exec);
+    if (!base)
+        return JSValue::encode(JSValue());
     return JSValue::encode(jsBoolean(base->hasPropertyGeneric(exec, asString(propertyName)->toIdentifier(exec), PropertySlot::InternalMethodType::GetOwnProperty)));
 }

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp ¶

@@ -682 +682 @@
     CodeBlock* codeBlock = exec->codeBlock();
     JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
+    LLINT_CHECK_EXCEPTION();
     bool couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
     LLINT_CHECK_EXCEPTION();
@@ -799 +800 @@
     JSValue baseValue = LLINT_OP_C(2).jsValue();
     JSObject* baseObject = baseValue.toObject(exec);
-    
+    LLINT_CHECK_EXCEPTION();
+
     JSValue subscript = LLINT_OP_C(3).jsValue();
     

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp ¶

@@ -563 +563 @@
 {
     JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObject)
+        return JSValue::encode(JSValue());
 
     StringRecursionChecker checker(exec, thisObject);
@@ -585 +587 @@
     unsigned argCount = exec->argumentCount();
     JSValue curArg = thisValue.toObject(exec);
+    if (!curArg)
+        return JSValue::encode(JSValue());
     Checked<unsigned, RecordOverflow> finalArraySize = 0;
 
@@ -631 +635 @@
 
     curArg = thisValue.toObject(exec);
+    ASSERT(!exec->hadException());
     unsigned n = 0;
     for (unsigned i = 0; ; ++i) {
@@ -666 +671 @@
 
     JSObject* thisObj = thisValue.toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -698 +705 @@
     
     JSObject* thisObj = thisValue.toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -723 +732 @@
 {
     JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObject)
+        return JSValue::encode(JSValue());
 
     unsigned length = getLength(exec, thisObject);
@@ -796 +807 @@
 {
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -818 +831 @@
     // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -860 +875 @@
 
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -951 +968 @@
 
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -975 +994 @@
     // 15.4.4.14
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (exec->hadException())
@@ -998 +1019 @@
     // 15.4.4.15
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
     if (!length)
@@ -1033 +1056 @@
 {
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateValue, thisObj));
 }
@@ -1039 +1064 @@
 {
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKeyValue, thisObj));
 }
@@ -1045 +1072 @@
 {
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
     return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKey, thisObj));
 }

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp ¶

@@ -550 +550 @@
     JSValue baseValue = OP_C(2).jsValue();
     JSObject* baseObject = baseValue.toObject(exec);
+    CHECK_EXCEPTION();
     
     JSValue subscript = OP_C(3).jsValue();
@@ -607 +608 @@
     BEGIN();
     JSObject* base = OP(2).jsValue().toObject(exec);
+    CHECK_EXCEPTION();
     JSValue property = OP(3).jsValue();
     pc[4].u.arrayProfile->observeStructure(base->structure(vm));
@@ -617 +619 @@
     BEGIN();
     JSObject* base = OP(2).jsValue().toObject(exec);
+    CHECK_EXCEPTION();
     JSValue property = OP(3).jsValue();
     ASSERT(property.isString());
@@ -629 +632 @@
     BEGIN();
     JSObject* base = OP(2).jsValue().toObject(exec);
+    CHECK_EXCEPTION();
     JSValue property = OP(3).jsValue();
     bool result;
@@ -657 +661 @@
 
     JSObject* base = baseValue.toObject(exec);
+    CHECK_EXCEPTION();
 
     RETURN(propertyNameEnumerator(exec, base));

trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp ¶

@@ -35 +35 @@
 #include "Exception.h"
 #include "JSGlobalObjectFunctions.h"
-#include "JSNotAnObject.h"
 #include "Interpreter.h"
 #include "Nodes.h"

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp ¶

@@ -33 +33 @@
 #include "JSFunction.h"
 #include "JSGlobalObject.h"
-#include "JSNotAnObject.h"
 #include "NumberObject.h"
 #include "StructureInlines.h"
@@ -91 +90 @@
     VM& vm = exec->vm();
     vm.throwException(exec, createNotAnObjectError(exec, *this));
-    return JSNotAnObject::create(vm);
+    return nullptr;
 }
 
@@ -126 +125 @@
     VM& vm = exec->vm();
     vm.throwException(exec, createNotAnObjectError(exec, *this));
-    return JSNotAnObject::create(vm);
+    return nullptr;
 }
 
@@ -141 +140 @@
     // Check if there are any setters or getters in the prototype chain
     JSObject* obj = synthesizePrototype(exec);
+    if (UNLIKELY(!obj))
+        return;
     JSValue prototype;
     if (propertyName != exec->propertyNames().underscoreProto) {
@@ -199 +200 @@
     }
     
-    if (synthesizePrototype(exec)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow))
+    JSObject* prototype = synthesizePrototype(exec);
+    if (UNLIKELY(!prototype)) {
+        ASSERT(exec->hadException());
+        return;
+    }
+    if (prototype->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow))
         return;
     

trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h ¶

@@ -768 +768 @@
             return true;
         object = synthesizePrototype(exec);
+        if (UNLIKELY(!object))
+            return false;
     } else
         object = asObject(asCell());
@@ -789 +791 @@
             return slot.getValue(exec, propertyName);
         object = synthesizePrototype(exec);
+        if (UNLIKELY(!object))
+            return JSValue();
     } else
         object = asObject(asCell());

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp ¶

@@ -40 +40 @@
 #include "JSFunctionInlines.h"
 #include "JSGlobalObject.h"
-#include "JSNotAnObject.h"
 #include "Interpreter.h"
 #include "ObjectConstructor.h"

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp ¶

@@ -822 +822 @@
     JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
 
-    if (!thisObject)
-        return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
+    if (!thisObject) {
+        JSObject* prototype = exec->thisValue().synthesizePrototype(exec);
+        if (UNLIKELY(!prototype))
+            return JSValue::encode(JSValue());
+        return JSValue::encode(prototype);
+    }
 
     GlobalFuncProtoGetterFunctor functor(exec, thisObject);

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp ¶

@@ -452 +452 @@
     if (!exec->argument(0).isObject())
         return throwVMError(exec, createTypeError(exec, ASCIILiteral("Properties can only be defined on Objects.")));
-    return JSValue::encode(defineProperties(exec, asObject(exec->argument(0)), exec->argument(1).toObject(exec)));
+    JSObject* targetObj = asObject(exec->argument(0));
+    JSObject* props = exec->argument(1).toObject(exec);
+    if (!props)
+        return JSValue::encode(JSValue());
+    return JSValue::encode(defineProperties(exec, targetObj, props));
 }
 

trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp ¶

@@ -82 +82 @@
 {
     JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
-    return JSValue::encode(thisValue.toObject(exec));
+    JSObject* valueObj = thisValue.toObject(exec);
+    if (!valueObj)
+        return JSValue::encode(JSValue());
+    return JSValue::encode(valueObj);
 }
 
@@ -91 +94 @@
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
-    return JSValue::encode(jsBoolean(thisValue.toObject(exec)->hasOwnProperty(exec, propertyName)));
+    JSObject* thisObject = thisValue.toObject(exec);
+    if (!thisObject)
+        return JSValue::encode(JSValue());
+    return JSValue::encode(jsBoolean(thisObject->hasOwnProperty(exec, propertyName)));
 }
 
@@ -98 +104 @@
     JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
     JSObject* thisObj = thisValue.toObject(exec);
+    if (!thisObj)
+        return JSValue::encode(JSValue());
 
     if (!exec->argument(0).isObject())
@@ -266 +274 @@
         return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString());
     JSObject* thisObject = thisValue.toObject(exec);
+    if (!thisObject)
+        return JSValue::encode(JSValue());
 
     JSString* result = thisObject->structure(vm)->objectToStringValue();

trunk/Source/JavaScriptCore/runtime/VM.cpp ¶

@@ -66 +66 @@
 #include "JSLexicalEnvironment.h"
 #include "JSLock.h"
-#include "JSNotAnObject.h"
 #include "JSPromiseDeferred.h"
 #include "JSPropertyNameEnumerator.h"
@@ -216 +215 @@
     terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
     stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
-    notAnObjectStructure.set(*this, JSNotAnObject::createStructure(*this, 0, jsNull()));
     propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
     getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));

trunk/Source/JavaScriptCore/runtime/VM.h ¶

@@ -285 +285 @@
     Strong<Structure> terminatedExecutionErrorStructure;
     Strong<Structure> stringStructure;
-    Strong<Structure> notAnObjectStructure;
     Strong<Structure> propertyNameIteratorStructure;
     Strong<Structure> propertyNameEnumeratorStructure;

trunk/Source/WebCore/ChangeLog ¶

@@ +1 @@
+2016-03-08  Mark Lam  <mark.lam@apple.com>
+
+        synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
+        https://bugs.webkit.org/show_bug.cgi?id=155169
+
+        Reviewed by Geoffrey Garen.
+
+        No new tests because this issue is covered by existing tests when the fix for
+        https://bugs.webkit.org/show_bug.cgi?id=154865 lands.  That patch is waiting for
+        this patch to land first so as to not introduce test failures.
+
+        * Modules/plugins/QuickTimePluginReplacement.mm:
+        (WebCore::QuickTimePluginReplacement::installReplacement):
+        * bindings/js/JSDeviceMotionEventCustom.cpp:
+        (WebCore::readAccelerationArgument):
+        (WebCore::readRotationRateArgument):
+        * bindings/js/JSGeolocationCustom.cpp:
+        (WebCore::createPositionOptions):
+        * bindings/js/JSHTMLCanvasElementCustom.cpp:
+        (WebCore::get3DContextAttributes):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateConstructorDefinition):
+        * bindings/scripts/test/JS/JSTestEventConstructor.cpp:
+        (WebCore::JSTestEventConstructorConstructor::construct):
+        * contentextensions/ContentExtensionParser.cpp:
+        (WebCore::ContentExtensions::getTypeFlags):
+        * html/HTMLMediaElement.cpp:
+        (WebCore::setPageScaleFactorProperty):
+        (WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
+        (WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
+        * html/HTMLPlugInImageElement.cpp:
+        (WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):
+
 2016-03-08  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm ¶

@@ -191 +191 @@
         return false;
     JSC::JSObject* replacementObject = replacementFunction.toObject(exec);
+    ASSERT(!exec->hadException());
     JSC::CallData callData;
     JSC::CallType callType = replacementObject->methodTable()->getCallData(replacementObject, callData);
@@ -221 +222 @@
     // Get the scripting interface.
     value = replacement.get(exec, JSC::Identifier::fromString(exec, "scriptObject"));
-    if (!exec->hadException() && !value.isUndefinedOrNull())
+    if (!exec->hadException() && !value.isUndefinedOrNull()) {
         m_scriptObject = value.toObject(exec);
+        ASSERT(!exec->hadException());
+    }
 
     if (!m_scriptObject) {

trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp ¶

@@ -48 +48 @@
     // Given the above test, this will always yield an object.
     JSObject* object = value.toObject(&state);
+    ASSERT(!state.hadException());
 
     JSValue xValue = object->get(&state, Identifier::fromString(&state, "x"));
@@ -86 +87 @@
     // Given the above test, this will always yield an object.
     JSObject* object = value.toObject(&state);
+    ASSERT(!state.hadException());
 
     JSValue alphaValue = object->get(&state, Identifier::fromString(&state, "alpha"));

trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp ¶

@@ -83 +83 @@
     // Given the above test, this will always yield an object.
     JSObject* object = value.toObject(exec);
+    ASSERT(!exec->hadException());
 
     // Create the dictionary wrapper from the initializer object.

trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp ¶

@@ -52 +52 @@
     
     JSObject* initializerObject = initializerValue.toObject(&state);
+    ASSERT(!state.hadException());
     JSDictionary dictionary(&state, initializerObject);
     

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm ¶

@@ -4821 +4821 @@
         // Given the above test, this will always yield an object.
         JSObject* initializerObject = initializerValue.toObject(state);
+        ASSERT(!state->hadException());
 
         // Create the dictionary wrapper from the initializer object.

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp ¶

@@ -89 +89 @@
         // Given the above test, this will always yield an object.
         JSObject* initializerObject = initializerValue.toObject(state);
+        ASSERT(!state->hadException());
 
         // Create the dictionary wrapper from the initializer object.

trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp ¶

@@ -91 +91 @@
 
     const JSObject* object = typeValue.toObject(&exec);
+    ASSERT(!exec.hadException());
     if (!isJSArray(object))
         return ContentExtensionError::JSONInvalidTriggerFlagsArray;

trunk/Source/WebCore/html/HTMLMediaElement.cpp ¶

@@ -6310 +6310 @@
     JSC::PutPropertySlot propertySlot(controllerValue);
     JSC::JSObject* controllerObject = controllerValue.toObject(exec);
+    if (!controllerObject)
+        return;
     controllerObject->methodTable()->put(controllerObject, exec, JSC::Identifier::fromString(exec, "pageScaleFactor"), JSC::jsNumber(pageScaleFactor), propertySlot);
 }
@@ -6356 +6358 @@
 
     JSC::JSObject* function = functionValue.toObject(exec);
+    ASSERT(!exec->hadException());
     JSC::CallData callData;
     JSC::CallType callType = function->methodTable()->getCallData(function, callData);
@@ -6369 +6372 @@
     // Connect the Media, MediaControllerHost, and Controller so the GC knows about their relationship
     JSC::JSObject* mediaJSWrapperObject = mediaJSWrapper.toObject(exec);
+    ASSERT(!exec->hadException());
     JSC::Identifier controlsHost = JSC::Identifier::fromString(&exec->vm(), "controlsHost");
     
@@ -6450 +6454 @@
 
     JSC::JSObject* function = functionValue.toObject(exec);
+    ASSERT(!exec->hadException());
     JSC::CallData callData;
     JSC::CallType callType = function->methodTable()->getCallData(function, callData);

trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp ¶

@@ -405 +405 @@
     // It is expected the JS file provides a createOverlay(shadowRoot, title, subtitle) function.
     JSC::JSObject* overlay = globalObject->get(exec, JSC::Identifier::fromString(exec, "createOverlay")).toObject(exec);
+    if (!overlay) {
+        ASSERT(exec->hadException());
+        exec->clearException();
+        return;
+    }
     JSC::CallData callData;
     JSC::CallType callType = overlay->methodTable()->getCallData(overlay, callData);