Changeset 201787 in webkit


Ignore:
Timestamp:
Jun 7, 2016 7:53:32 PM (8 years ago)
Author:
mark.lam@apple.com
Message:

Need an exception check after constructEmptyArray().
https://bugs.webkit.org/show_bug.cgi?id=158411

Reviewed by Saam Barati.

Source/JavaScriptCore:

Added an exception check after each call to constructEmptyArray().

  • inspector/JSInjectedScriptHost.cpp:

(Inspector::JSInjectedScriptHost::getInternalProperties):
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):

  • interpreter/ShadowChicken.cpp:

(JSC::ShadowChicken::functionsOnStack):

  • profiler/ProfilerBytecodeSequence.cpp:

(JSC::Profiler::BytecodeSequence::addSequenceProperties):

  • profiler/ProfilerCompilation.cpp:

(JSC::Profiler::Compilation::toJS):

  • profiler/ProfilerDatabase.cpp:

(JSC::Profiler::Database::toJS):

  • profiler/ProfilerOSRExitSite.cpp:

(JSC::Profiler::OSRExitSite::toJS):

  • profiler/ProfilerOriginStack.cpp:

(JSC::Profiler::OriginStack::toJS):

  • runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):

  • runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

  • runtime/ModuleLoaderObject.cpp:

(JSC::moduleLoaderObjectRequestedModules):

  • runtime/ObjectConstructor.cpp:

(JSC::ownPropertyKeys):

  • runtime/RegExpObject.cpp:

(JSC::collectMatches):

  • runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncSplitFast):

  • runtime/StringPrototype.cpp:

(JSC::stringProtoFuncSplitFast):

  • runtime/TemplateRegistry.cpp:

(JSC::TemplateRegistry::getTemplateObject):

  • tests/stress/regress-158411.js: Added.

Source/WebCore:

A stress test for this was added in JavaScriptCore.

  • bindings/js/IDBBindingUtilities.cpp:

(WebCore::toJS):

  • bindings/js/JSCommandLineAPIHostCustom.cpp:

(WebCore::getJSListenerFunctions):

  • bindings/js/JSCryptoKeySerializationJWK.cpp:

(WebCore::buildJSONForRSAComponents):
(WebCore::addBoolToJSON):
(WebCore::addUsagesToJSON):
(WebCore::JSCryptoKeySerializationJWK::serialize):

  • bindings/js/JSDOMBinding.h:

(WebCore::toJS):

  • bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::deserialize):

Location:
trunk/Source
Files:
1 added
22 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r201783 r201787  
     12016-06-07  Mark Lam  <mark.lam@apple.com>
     2
     3        Need an exception check after constructEmptyArray().
     4        https://bugs.webkit.org/show_bug.cgi?id=158411
     5
     6        Reviewed by Saam Barati.
     7
     8        Added an exception check after each call to constructEmptyArray().
     9
     10        * inspector/JSInjectedScriptHost.cpp:
     11        (Inspector::JSInjectedScriptHost::getInternalProperties):
     12        (Inspector::JSInjectedScriptHost::weakMapEntries):
     13        (Inspector::JSInjectedScriptHost::weakSetEntries):
     14        (Inspector::JSInjectedScriptHost::iteratorEntries):
     15        * interpreter/ShadowChicken.cpp:
     16        (JSC::ShadowChicken::functionsOnStack):
     17        * profiler/ProfilerBytecodeSequence.cpp:
     18        (JSC::Profiler::BytecodeSequence::addSequenceProperties):
     19        * profiler/ProfilerCompilation.cpp:
     20        (JSC::Profiler::Compilation::toJS):
     21        * profiler/ProfilerDatabase.cpp:
     22        (JSC::Profiler::Database::toJS):
     23        * profiler/ProfilerOSRExitSite.cpp:
     24        (JSC::Profiler::OSRExitSite::toJS):
     25        * profiler/ProfilerOriginStack.cpp:
     26        (JSC::Profiler::OriginStack::toJS):
     27        * runtime/ArrayPrototype.cpp:
     28        (JSC::arrayProtoFuncConcat):
     29        (JSC::arrayProtoFuncSlice):
     30        (JSC::arrayProtoFuncSplice):
     31        * runtime/LiteralParser.cpp:
     32        (JSC::LiteralParser<CharType>::parse):
     33        * runtime/ModuleLoaderObject.cpp:
     34        (JSC::moduleLoaderObjectRequestedModules):
     35        * runtime/ObjectConstructor.cpp:
     36        (JSC::ownPropertyKeys):
     37        * runtime/RegExpObject.cpp:
     38        (JSC::collectMatches):
     39        * runtime/RegExpPrototype.cpp:
     40        (JSC::regExpProtoFuncSplitFast):
     41        * runtime/StringPrototype.cpp:
     42        (JSC::stringProtoFuncSplitFast):
     43        * runtime/TemplateRegistry.cpp:
     44        (JSC::TemplateRegistry::getTemplateObject):
     45
     46        * tests/stress/regress-158411.js: Added.
     47
    1482016-06-07  Filip Pizlo  <fpizlo@apple.com>
    249

  • trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp

    r201766 r201787  
    258258        return jsUndefined();
    259259
     260    VM& vm = exec->vm();
    260261    JSValue value = exec->uncheckedArgument(0);
    261262
     
    263264        unsigned index = 0;
    264265        JSArray* array = constructEmptyArray(exec, nullptr);
     266        if (UNLIKELY(vm.exception()))
     267            return jsUndefined();
    265268        switch (promise->status(exec->vm())) {
    266269        case JSPromise::Status::Pending:
     
    283286        unsigned index = 0;
    284287        JSArray* array = constructEmptyArray(exec, nullptr);
     288        if (UNLIKELY(vm.exception()))
     289            return jsUndefined();
    285290        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "targetFunction", boundFunction->targetFunction()));
    286291        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundThis", boundFunction->boundThis()));
     
    293298        unsigned index = 0;
    294299        JSArray* array = constructEmptyArray(exec, nullptr, 2);
     300        if (UNLIKELY(vm.exception()))
     301            return jsUndefined();
    295302        array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("target"), proxy->target()));
    296303        array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("handler"), proxy->handler()));
     
    305312            unsigned index = 0;
    306313            JSArray* array = constructEmptyArray(exec, nullptr, 2);
     314            if (UNLIKELY(vm.exception()))
     315                return jsUndefined();
    307316            array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", iteratedValue));
    308317            array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", kind));
     
    326335        unsigned index = 0;
    327336        JSArray* array = constructEmptyArray(exec, nullptr, 2);
     337        if (UNLIKELY(vm.exception()))
     338            return jsUndefined();
    328339        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", arrayIterator->iteratedValue(exec)));
    329340        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
     
    346357        unsigned index = 0;
    347358        JSArray* array = constructEmptyArray(exec, nullptr, 2);
     359        if (UNLIKELY(vm.exception()))
     360            return jsUndefined();
    348361        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "map", mapIterator->iteratedValue()));
    349362        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
     
    366379        unsigned index = 0;
    367380        JSArray* array = constructEmptyArray(exec, nullptr, 2);
     381        if (UNLIKELY(vm.exception()))
     382            return jsUndefined();
    368383        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "set", setIterator->iteratedValue()));
    369384        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
     
    374389        unsigned index = 0;
    375390        JSArray* array = constructEmptyArray(exec, nullptr, 1);
     391        if (UNLIKELY(vm.exception()))
     392            return jsUndefined();
    376393        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "string", stringIterator->iteratedValue(exec)));
    377394        return array;
     
    381398        unsigned index = 0;
    382399        JSArray* array = constructEmptyArray(exec, nullptr, 1);
     400        if (UNLIKELY(vm.exception()))
     401            return jsUndefined();
    383402        array->putDirectIndex(exec, index++, constructInternalProperty(exec, "object", propertyNameIterator->iteratedValue()));
    384403        return array;
     
    406425        return jsUndefined();
    407426
     427    VM& vm = exec->vm();
    408428    JSValue value = exec->uncheckedArgument(0);
    409429    JSWeakMap* weakMap = jsDynamicCast<JSWeakMap*>(value);
     
    420440
    421441    JSArray* array = constructEmptyArray(exec, nullptr);
     442    if (UNLIKELY(vm.exception()))
     443        return jsUndefined();
    422444    for (auto it = weakMap->weakMapData()->begin(); it != weakMap->weakMapData()->end(); ++it) {
    423445        JSObject* entry = constructEmptyObject(exec);
     
    450472        return jsUndefined();
    451473
     474    VM& vm = exec->vm();
    452475    JSValue value = exec->uncheckedArgument(0);
    453476    JSWeakSet* weakSet = jsDynamicCast<JSWeakSet*>(value);
     
    464487
    465488    JSArray* array = constructEmptyArray(exec, nullptr);
     489    if (UNLIKELY(vm.exception()))
     490        return jsUndefined();
    466491    for (auto it = weakSet->weakMapData()->begin(); it != weakSet->weakMapData()->end(); ++it) {
    467492        JSObject* entry = constructEmptyObject(exec);
     
    502527    else if (JSPropertyNameIterator* propertyNameIterator = jsDynamicCast<JSPropertyNameIterator*>(value)) {
    503528        iterator = propertyNameIterator->clone(exec);
    504         if (UNLIKELY(exec->hadException()))
     529        if (UNLIKELY(vm.exception()))
    505530            return JSValue();
    506531    } else {
     
    522547
    523548    JSArray* array = constructEmptyArray(exec, nullptr);
     549    if (UNLIKELY(vm.exception()))
     550        return jsUndefined();
    524551
    525552    for (unsigned i = 0; i < numberToFetch; ++i) {
    526553        JSValue next = iteratorStep(exec, iterator);
    527         if (exec->hadException())
     554        if (UNLIKELY(vm.exception()))
    528555            break;
    529556        if (next.isFalse())
     
    531558
    532559        JSValue nextValue = iteratorValue(exec, next);
    533         if (exec->hadException())
     560        if (UNLIKELY(vm.exception()))
    534561            break;
    535562

  • trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp

    r201465 r201787  
    436436JSArray* ShadowChicken::functionsOnStack(ExecState* exec)
    437437{
     438    VM& vm = exec->vm();
    438439    JSArray* result = constructEmptyArray(exec, 0);
     440    if (UNLIKELY(vm.exception()))
     441        return nullptr;
    439442
    440443    iterate(
    441         exec->vm(), exec,
     444        vm, exec,
    442445        [&] (const Frame& frame) -> bool {
    443446            result->push(exec, frame.callee);

  • trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp

    r179503 r201787  
    7878void BytecodeSequence::addSequenceProperties(ExecState* exec, JSObject* result) const
    7979{
     80    VM& vm = exec->vm();
    8081    JSArray* header = constructEmptyArray(exec, 0);
     82    if (UNLIKELY(vm.exception()))
     83        return;
    8184    for (unsigned i = 0; i < m_header.size(); ++i)
    8285        header->putDirectIndex(exec, i, jsString(exec, String::fromUTF8(m_header[i])));
    83     result->putDirect(exec->vm(), exec->propertyNames().header, header);
     86    result->putDirect(vm, exec->propertyNames().header, header);
    8487   
    8588    JSArray* sequence = constructEmptyArray(exec, 0);
     89    if (UNLIKELY(vm.exception()))
     90        return;
    8691    for (unsigned i = 0; i < m_sequence.size(); ++i)
    8792        sequence->putDirectIndex(exec, i, m_sequence[i].toJS(exec));
    88     result->putDirect(exec->vm(), exec->propertyNames().bytecode, sequence);
     93    result->putDirect(vm, exec->propertyNames().bytecode, sequence);
    8994}
    9095

  • trunk/Source/JavaScriptCore/profiler/ProfilerCompilation.cpp

    r200658 r201787  
    115115JSValue Compilation::toJS(ExecState* exec) const
    116116{
     117    VM& vm = exec->vm();
    117118    JSObject* result = constructEmptyObject(exec);
    118    
    119     result->putDirect(exec->vm(), exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
    120     result->putDirect(exec->vm(), exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
     119    if (UNLIKELY(vm.exception()))
     120        return jsUndefined();
     121    result->putDirect(vm, exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
     122    result->putDirect(vm, exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
    121123   
    122124    JSArray* profiledBytecodes = constructEmptyArray(exec, 0);
     125    if (UNLIKELY(vm.exception()))
     126        return jsUndefined();
    123127    for (unsigned i = 0; i < m_profiledBytecodes.size(); ++i)
    124128        profiledBytecodes->putDirectIndex(exec, i, m_profiledBytecodes[i].toJS(exec));
    125     result->putDirect(exec->vm(), exec->propertyNames().profiledBytecodes, profiledBytecodes);
     129    result->putDirect(vm, exec->propertyNames().profiledBytecodes, profiledBytecodes);
    126130   
    127131    JSArray* descriptions = constructEmptyArray(exec, 0);
     132    if (UNLIKELY(vm.exception()))
     133        return jsUndefined();
    128134    for (unsigned i = 0; i < m_descriptions.size(); ++i)
    129135        descriptions->putDirectIndex(exec, i, m_descriptions[i].toJS(exec));
    130     result->putDirect(exec->vm(), exec->propertyNames().descriptions, descriptions);
     136    result->putDirect(vm, exec->propertyNames().descriptions, descriptions);
    131137   
    132138    JSArray* counters = constructEmptyArray(exec, 0);
     139    if (UNLIKELY(vm.exception()))
     140        return jsUndefined();
    133141    for (auto it = m_counters.begin(), end = m_counters.end(); it != end; ++it) {
    134142        JSObject* counterEntry = constructEmptyObject(exec);
    135         counterEntry->putDirect(exec->vm(), exec->propertyNames().origin, it->key.toJS(exec));
    136         counterEntry->putDirect(exec->vm(), exec->propertyNames().executionCount, jsNumber(it->value->count()));
     143        counterEntry->putDirect(vm, exec->propertyNames().origin, it->key.toJS(exec));
     144        counterEntry->putDirect(vm, exec->propertyNames().executionCount, jsNumber(it->value->count()));
    137145        counters->push(exec, counterEntry);
    138146    }
    139     result->putDirect(exec->vm(), exec->propertyNames().counters, counters);
     147    result->putDirect(vm, exec->propertyNames().counters, counters);
    140148   
    141149    JSArray* exitSites = constructEmptyArray(exec, 0);
     150    if (UNLIKELY(vm.exception()))
     151        return jsUndefined();
    142152    for (unsigned i = 0; i < m_osrExitSites.size(); ++i)
    143153        exitSites->putDirectIndex(exec, i, m_osrExitSites[i].toJS(exec));
    144     result->putDirect(exec->vm(), exec->propertyNames().osrExitSites, exitSites);
     154    result->putDirect(vm, exec->propertyNames().osrExitSites, exitSites);
    145155   
    146156    JSArray* exits = constructEmptyArray(exec, 0);
     157    if (UNLIKELY(vm.exception()))
     158        return jsUndefined();
    147159    for (unsigned i = 0; i < m_osrExits.size(); ++i)
    148160        exits->putDirectIndex(exec, i, m_osrExits[i].toJS(exec));
    149     result->putDirect(exec->vm(), exec->propertyNames().osrExits, exits);
     161    result->putDirect(vm, exec->propertyNames().osrExits, exits);
    150162   
    151     result->putDirect(exec->vm(), exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
    152     result->putDirect(exec->vm(), exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
    153     result->putDirect(exec->vm(), exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
    154     result->putDirect(exec->vm(), exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
     163    result->putDirect(vm, exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
     164    result->putDirect(vm, exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
     165    result->putDirect(vm, exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
     166    result->putDirect(vm, exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
    155167    if (!m_additionalJettisonReason.isNull())
    156         result->putDirect(exec->vm(), exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
     168        result->putDirect(vm, exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
    157169   
    158     result->putDirect(exec->vm(), exec->propertyNames().uid, m_uid.toJS(exec));
     170    result->putDirect(vm, exec->propertyNames().uid, m_uid.toJS(exec));
    159171   
    160172    return result;

  • trunk/Source/JavaScriptCore/profiler/ProfilerDatabase.cpp

    r201361 r201787  
    100100JSValue Database::toJS(ExecState* exec) const
    101101{
     102    VM& vm = exec->vm();
    102103    JSObject* result = constructEmptyObject(exec);
    103104   
    104105    JSArray* bytecodes = constructEmptyArray(exec, 0);
     106    if (UNLIKELY(vm.exception()))
     107        return jsUndefined();
    105108    for (unsigned i = 0; i < m_bytecodes.size(); ++i)
    106109        bytecodes->putDirectIndex(exec, i, m_bytecodes[i].toJS(exec));
    107     result->putDirect(exec->vm(), exec->propertyNames().bytecodes, bytecodes);
     110    result->putDirect(vm, exec->propertyNames().bytecodes, bytecodes);
    108111   
    109112    JSArray* compilations = constructEmptyArray(exec, 0);
     113    if (UNLIKELY(vm.exception()))
     114        return jsUndefined();
    110115    for (unsigned i = 0; i < m_compilations.size(); ++i)
    111116        compilations->putDirectIndex(exec, i, m_compilations[i]->toJS(exec));
    112     result->putDirect(exec->vm(), exec->propertyNames().compilations, compilations);
     117    result->putDirect(vm, exec->propertyNames().compilations, compilations);
    113118   
    114119    JSArray* events = constructEmptyArray(exec, 0);
     120    if (UNLIKELY(vm.exception()))
     121        return jsUndefined();
    115122    for (unsigned i = 0; i < m_events.size(); ++i)
    116123        events->putDirectIndex(exec, i, m_events[i].toJS(exec));
    117     result->putDirect(exec->vm(), exec->propertyNames().events, events);
     124    result->putDirect(vm, exec->propertyNames().events, events);
    118125   
    119126    return result;

  • trunk/Source/JavaScriptCore/profiler/ProfilerOSRExitSite.cpp

    r163844 r201787  
    3737JSValue OSRExitSite::toJS(ExecState* exec) const
    3838{
     39    VM& vm = exec->vm();
    3940    JSArray* result = constructEmptyArray(exec, 0);
     41    if (UNLIKELY(vm.exception()))
     42        return jsUndefined();
    4043    for (unsigned i = 0; i < m_codeAddresses.size(); ++i)
    4144        result->putDirectIndex(exec, i, jsString(exec, toString(RawPointer(m_codeAddresses[i]))));

  • trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp

    r190827 r201787  
    101101JSValue OriginStack::toJS(ExecState* exec) const
    102102{
     103    VM& vm = exec->vm();
    103104    JSArray* result = constructEmptyArray(exec, 0);
     105    if (UNLIKELY(vm.exception()))
     106        return jsUndefined();
    104107   
    105108    for (unsigned i = 0; i < m_stack.size(); ++i)

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r201049 r201787  
    591591EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
    592592{
     593    VM& vm = exec->vm();
    593594    JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
    594595    unsigned argCount = exec->argumentCount();
     
    611612            // Can't use JSArray::length here because this might be a RuntimeArray!
    612613            finalArraySize += getLength(exec, currentArray);
    613             if (exec->hadException())
     614            if (UNLIKELY(vm.exception()))
    614615                return JSValue::encode(jsUndefined());
    615616        } else
     
    637638        // We add the newTarget because the compiler gets confused between 0 being a number and a pointer.
    638639        result = constructEmptyArray(exec, nullptr, 0, JSValue());
    639         if (exec->hadException())
     640        if (UNLIKELY(vm.exception()))
    640641            return JSValue::encode(jsUndefined());
    641642    }
    642643
    643644    curArg = thisValue.toObject(exec);
    644     ASSERT(!exec->hadException());
     645    ASSERT(!vm.exception());
    645646    unsigned n = 0;
    646647    for (unsigned i = 0; ; ++i) {
     
    648649            // Can't use JSArray::length here because this might be a RuntimeArray!
    649650            unsigned length = getLength(exec, currentArray);
    650             if (exec->hadException())
     651            if (UNLIKELY(vm.exception()))
    651652                return JSValue::encode(jsUndefined());
    652653            for (unsigned k = 0; k < length; ++k) {
    653654                JSValue v = getProperty(exec, currentArray, k);
    654                 if (exec->hadException())
     655                if (UNLIKELY(vm.exception()))
    655656                    return JSValue::encode(jsUndefined());
    656657                if (v)
     
    847848{
    848849    // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
     850    VM& vm = exec->vm();
    849851    JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
    850852    if (!thisObj)
    851853        return JSValue::encode(JSValue());
    852854    unsigned length = getLength(exec, thisObj);
    853     if (exec->hadException())
     855    if (UNLIKELY(vm.exception()))
    854856        return JSValue::encode(jsUndefined());
    855857
     
    870872    if (speciesResult.first == SpeciesConstructResult::CreatedObject)
    871873        result = speciesResult.second;
    872     else
     874    else {
    873875        result = constructEmptyArray(exec, nullptr, end - begin);
     876        if (UNLIKELY(vm.exception()))
     877            return JSValue::encode(jsUndefined());
     878    }
    874879
    875880    unsigned n = 0;
    876881    for (unsigned k = begin; k < end; k++, n++) {
    877882        JSValue v = getProperty(exec, thisObj, k);
    878         if (exec->hadException())
     883        if (UNLIKELY(vm.exception()))
    879884            return JSValue::encode(jsUndefined());
    880885        if (v)
     
    895900        return JSValue::encode(JSValue());
    896901    unsigned length = getLength(exec, thisObj);
    897     if (exec->hadException())
     902    if (UNLIKELY(vm.exception()))
    898903        return JSValue::encode(jsUndefined());
    899904
     
    906911        if (speciesResult.first == SpeciesConstructResult::CreatedObject)
    907912            result = speciesResult.second;
    908         else
     913        else {
    909914            result = constructEmptyArray(exec, nullptr);
     915            if (UNLIKELY(vm.exception()))
     916                return JSValue::encode(jsUndefined());
     917        }
    910918
    911919        setLength(exec, result, 0);
     
    940948            for (unsigned k = 0; k < deleteCount; ++k) {
    941949                JSValue v = getProperty(exec, thisObj, k + begin);
    942                 if (exec->hadException())
     950                if (UNLIKELY(vm.exception()))
    943951                    return JSValue::encode(jsUndefined());
    944952                result->putByIndexInline(exec, k, v, true);
    945                 if (exec->hadException())
     953                if (UNLIKELY(vm.exception()))
    946954                    return JSValue::encode(jsUndefined());
    947955            }
     
    953961            for (unsigned k = 0; k < deleteCount; ++k) {
    954962                JSValue v = getProperty(exec, thisObj, k + begin);
    955                 if (exec->hadException())
     963                if (UNLIKELY(vm.exception()))
    956964                    return JSValue::encode(jsUndefined());
    957965                result->initializeIndex(vm, k, v);
     
    963971    if (additionalArgs < deleteCount) {
    964972        shift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
    965         if (exec->hadException())
     973        if (UNLIKELY(vm.exception()))
    966974            return JSValue::encode(jsUndefined());
    967975    } else if (additionalArgs > deleteCount) {
    968976        unshift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
    969         if (exec->hadException())
     977        if (UNLIKELY(vm.exception()))
    970978            return JSValue::encode(jsUndefined());
    971979    }
    972980    for (unsigned k = 0; k < additionalArgs; ++k) {
    973981        thisObj->putByIndexInline(exec, k + begin, exec->uncheckedArgument(k + 2), true);
    974         if (exec->hadException())
     982        if (UNLIKELY(vm.exception()))
    975983            return JSValue::encode(jsUndefined());
    976984    }

  • trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp

    r199968 r201787  
    584584            case StartParseArray: {
    585585                JSArray* array = constructEmptyArray(m_exec, 0);
     586                if (UNLIKELY(m_exec->hadException()))
     587                    return JSValue();
    586588                objectStack.append(array);
    587589            }

  • trunk/Source/JavaScriptCore/runtime/ModuleLoaderObject.cpp

    r201542 r201787  
    298298
    299299    JSArray* result = constructEmptyArray(exec, nullptr, moduleRecord->requestedModules().size());
     300    if (UNLIKELY(exec->hadException()))
     301        JSValue::encode(jsUndefined());
    300302    size_t i = 0;
    301303    for (auto& key : moduleRecord->requestedModules())

  • trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

    r201448 r201787  
    704704JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode propertyNameMode, DontEnumPropertiesMode dontEnumPropertiesMode)
    705705{
     706    VM& vm = exec->vm();
    706707    PropertyNameArray properties(exec, propertyNameMode);
    707     object->methodTable(exec->vm())->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
    708     if (exec->hadException())
     708    object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
     709    if (UNLIKELY(vm.exception()))
    709710        return nullptr;
    710711
    711712    JSArray* keys = constructEmptyArray(exec, 0);
     713    if (UNLIKELY(vm.exception()))
     714        return nullptr;
    712715
    713716    switch (propertyNameMode) {
     
    728731            ASSERT(identifier.isSymbol());
    729732            if (!exec->propertyNames().isPrivateName(identifier))
    730                 keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
     733                keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
    731734        }
    732735        break;
     
    747750        // To ensure the order defined in the spec (9.1.12), we append symbols at the last elements of keys.
    748751        for (const auto& identifier : propertySymbols)
    749             keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
     752            keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
    750753
    751754        break;

  • trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp

    r201451 r201787  
    180180   
    181181    JSArray* array = constructEmptyArray(exec, nullptr);
     182    if (UNLIKELY(vm.exception()))
     183        return jsUndefined();
    182184
    183185    auto iterate = [&] () {

  • trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp

    r201467 r201787  
    564564    // 12. Let lengthA be 0.
    565565    JSArray* result = constructEmptyArray(exec, 0);
     566    if (UNLIKELY(vm.exception()))
     567        return JSValue::encode(jsUndefined());
    566568    unsigned resultLength = 0;
    567569

  • trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

    r201782 r201787  
    10831083EncodedJSValue JSC_HOST_CALL stringProtoFuncSplitFast(ExecState* exec)
    10841084{
     1085    VM& vm = exec->vm();
    10851086    JSValue thisValue = exec->thisValue();
    10861087    ASSERT(checkObjectCoercible(thisValue));
     
    10891090    // 7. Let s be the number of characters in S.
    10901091    String input = thisValue.toString(exec)->value(exec);
    1091     if (exec->hadException())
     1092    if (UNLIKELY(vm.exception()))
    10921093        return JSValue::encode(jsUndefined());
    10931094    ASSERT(!input.isNull());
     
    10961097    //    where Array is the standard built-in constructor with that name.
    10971098    JSArray* result = constructEmptyArray(exec, 0);
     1099    if (UNLIKELY(vm.exception()))
     1100        return JSValue::encode(jsUndefined());
    10981101
    10991102    // 5. Let lengthA be 0.
     
    11111114    JSValue separatorValue = exec->uncheckedArgument(0);
    11121115    String separator = separatorValue.toString(exec)->value(exec);
    1113     if (exec->hadException())
     1116    if (UNLIKELY(vm.exception()))
    11141117        return JSValue::encode(jsUndefined());
    11151118

  • trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp

    r184352 r201787  
    4646        return cached;
    4747
     48    VM& vm = exec->vm();
    4849    unsigned count = templateKey.cookedStrings().size();
    4950    JSArray* templateObject = constructEmptyArray(exec, nullptr, count);
     51    if (UNLIKELY(vm.exception()))
     52        return nullptr;
    5053    JSArray* rawObject = constructEmptyArray(exec, nullptr, count);
     54    if (UNLIKELY(vm.exception()))
     55        return nullptr;
    5156
    5257    for (unsigned index = 0; index < count; ++index) {
     
    5863    ASSERT(!exec->hadException());
    5964
    60     templateObject->putDirect(exec->vm(), exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
     65    templateObject->putDirect(vm, exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
    6166
    6267    objectConstructorFreeze(exec, templateObject);

  • trunk/Source/WebCore/ChangeLog

    r201785 r201787  
     12016-06-07  Mark Lam  <mark.lam@apple.com>
     2
     3        Need an exception check after constructEmptyArray().
     4        https://bugs.webkit.org/show_bug.cgi?id=158411
     5
     6        Reviewed by Saam Barati.
     7
     8        A stress test for this was added in JavaScriptCore.
     9
     10        * bindings/js/IDBBindingUtilities.cpp:
     11        (WebCore::toJS):
     12        * bindings/js/JSCommandLineAPIHostCustom.cpp:
     13        (WebCore::getJSListenerFunctions):
     14        * bindings/js/JSCryptoKeySerializationJWK.cpp:
     15        (WebCore::buildJSONForRSAComponents):
     16        (WebCore::addBoolToJSON):
     17        (WebCore::addUsagesToJSON):
     18        (WebCore::JSCryptoKeySerializationJWK::serialize):
     19        * bindings/js/JSDOMBinding.h:
     20        (WebCore::toJS):
     21        * bindings/js/SerializedScriptValue.cpp:
     22        (WebCore::CloneDeserializer::deserialize):
     23
    1242016-06-07  Antoine Quint  <graouts@apple.com>
    225

  • trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp

    r201665 r201787  
    8989    }
    9090
    91     Locker<JSLock> locker(state.vm().apiLock());
     91    VM& vm = state.vm();
     92    Locker<JSLock> locker(vm.apiLock());
    9293
    9394    switch (key->type()) {
     
    9596        auto& inArray = key->array();
    9697        unsigned size = inArray.size();
    97         auto& outArray = *constructEmptyArray(&state, 0, &globalObject, size);
     98        auto outArray = constructEmptyArray(&state, 0, &globalObject, size);
     99        if (UNLIKELY(vm.exception()))
     100            return jsUndefined();
    98101        for (size_t i = 0; i < size; ++i)
    99             outArray.putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
    100         return &outArray;
     102            outArray->putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
     103        return outArray;
    101104    }
    102105    case KeyType::String:

  • trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp

    r199642 r201787  
    6868static JSArray* getJSListenerFunctions(ExecState& state, Document* document, const EventListenerInfo& listenerInfo)
    6969{
     70    VM& vm = state.vm();
    7071    JSArray* result = constructEmptyArray(&state, nullptr);
     72    if (UNLIKELY(vm.exception()))
     73        return nullptr;
    7174    size_t handlersCount = listenerInfo.eventListenerVector.size();
    7275    for (size_t i = 0, outputIndex = 0; i < handlersCount; ++i) {
     
    8689
    8790        JSObject* listenerEntry = constructEmptyObject(&state);
    88         listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "listener"), function);
    89         listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
     91        listenerEntry->putDirect(vm, Identifier::fromString(&state, "listener"), function);
     92        listenerEntry->putDirect(vm, Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
    9093        result->putDirectIndex(&state, outputIndex++, JSValue(listenerEntry));
    9194    }

  • trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp

    r196722 r201787  
    535535        return;
    536536
     537    VM& vm = exec->vm();
    537538    JSArray* oth = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), data.otherPrimeInfos().size());
     539    if (UNLIKELY(vm.exception()))
     540        return;
    538541    for (size_t i = 0, size = data.otherPrimeInfos().size(); i < size; ++i) {
    539542        JSObject* jsPrimeInfo = constructEmptyObject(exec);
     
    543546        oth->putDirectIndex(exec, i, jsPrimeInfo);
    544547    }
    545     result->putDirect(exec->vm(), Identifier::fromString(exec, "oth"), oth);
     548    result->putDirect(vm, Identifier::fromString(exec, "oth"), oth);
    546549}
    547550
     
    656659static void addUsagesToJSON(ExecState* exec, JSObject* json, CryptoKeyUsage usages)
    657660{
     661    VM& vm = exec->vm();
    658662    JSArray* keyOps = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), 0);
     663    if (UNLIKELY(vm.exception()))
     664        return;
    659665
    660666    unsigned index = 0;
     
    676682        keyOps->putDirectIndex(exec, index++, jsNontrivialString(exec, ASCIILiteral("deriveBits")));
    677683
    678     json->putDirect(exec->vm(), Identifier::fromString(exec, "key_ops"), keyOps);
     684    json->putDirect(vm, Identifier::fromString(exec, "key_ops"), keyOps);
    679685}
    680686

  • trunk/Source/WebCore/bindings/js/JSDOMBinding.h

    r201703 r201787  
    541541{
    542542    JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
     543    if (UNLIKELY(exec->hadException()))
     544        return JSC::jsUndefined();
    543545    for (size_t i = 0; i < vector.size(); ++i)
    544546        array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i]));
     
    549551{
    550552    JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
     553    if (UNLIKELY(exec->hadException()))
     554        return JSC::jsUndefined();
    551555    for (size_t i = 0; i < vector.size(); ++i)
    552556        array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i].get()));

  • trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

    r201717 r201787  
    24642464            }
    24652465            JSArray* outArray = constructEmptyArray(m_exec, 0, m_globalObject, length);
     2466            if (UNLIKELY(m_exec->hadException()))
     2467                goto error;
    24662468            m_gcBuffer.append(outArray);
    24672469            outputObjectStack.append(outArray);
Note: See TracChangeset for help on using the changeset viewer.