Changeset 201787 in webkit

Timestamp:

Jun 7, 2016, 7:53:32 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

Need an exception check after constructEmptyArray().
​https://bugs.webkit.org/show_bug.cgi?id=158411

Reviewed by Saam Barati.

Source/JavaScriptCore:

Added an exception check after each call to constructEmptyArray().

• inspector/JSInjectedScriptHost.cpp:

(Inspector::JSInjectedScriptHost::getInternalProperties):
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):

• interpreter/ShadowChicken.cpp:

(JSC::ShadowChicken::functionsOnStack):

• profiler/ProfilerBytecodeSequence.cpp:

(JSC::Profiler::BytecodeSequence::addSequenceProperties):

• profiler/ProfilerCompilation.cpp:

(JSC::Profiler::Compilation::toJS):

• profiler/ProfilerDatabase.cpp:

(JSC::Profiler::Database::toJS):

• profiler/ProfilerOSRExitSite.cpp:

(JSC::Profiler::OSRExitSite::toJS):

• profiler/ProfilerOriginStack.cpp:

(JSC::Profiler::OriginStack::toJS):

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

• runtime/ModuleLoaderObject.cpp:

(JSC::moduleLoaderObjectRequestedModules):

• runtime/ObjectConstructor.cpp:

(JSC::ownPropertyKeys):

• runtime/RegExpObject.cpp:

(JSC::collectMatches):

• runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncSplitFast):

• runtime/StringPrototype.cpp:

(JSC::stringProtoFuncSplitFast):

• runtime/TemplateRegistry.cpp:

(JSC::TemplateRegistry::getTemplateObject):

• tests/stress/regress-158411.js: Added.

Source/WebCore:

A stress test for this was added in JavaScriptCore.

• bindings/js/IDBBindingUtilities.cpp:

(WebCore::toJS):

• bindings/js/JSCommandLineAPIHostCustom.cpp:

(WebCore::getJSListenerFunctions):

• bindings/js/JSCryptoKeySerializationJWK.cpp:

(WebCore::buildJSONForRSAComponents):
(WebCore::addBoolToJSON):
(WebCore::addUsagesToJSON):
(WebCore::JSCryptoKeySerializationJWK::serialize):

• bindings/js/JSDOMBinding.h:

(WebCore::toJS):

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::deserialize):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/inspector/JSInjectedScriptHost.cpp (modified) (17 diffs)
• JavaScriptCore/interpreter/ShadowChicken.cpp (modified) (1 diff)
• JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp (modified) (1 diff)
• JavaScriptCore/profiler/ProfilerCompilation.cpp (modified) (1 diff)
• JavaScriptCore/profiler/ProfilerDatabase.cpp (modified) (1 diff)
• JavaScriptCore/profiler/ProfilerOSRExitSite.cpp (modified) (1 diff)
• JavaScriptCore/profiler/ProfilerOriginStack.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (11 diffs)
• JavaScriptCore/runtime/LiteralParser.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ModuleLoaderObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/RegExpObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/RegExpPrototype.cpp (modified) (1 diff)
• JavaScriptCore/runtime/StringPrototype.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/TemplateRegistry.cpp (modified) (2 diffs)
• JavaScriptCore/tests/stress/regress-158411.js (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/IDBBindingUtilities.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp (modified) (4 diffs)
• WebCore/bindings/js/JSDOMBinding.h (modified) (2 diffs)
• WebCore/bindings/js/SerializedScriptValue.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog ¶

@@ +1 @@
+2016-06-07  Mark Lam  <mark.lam@apple.com>
+
+        Need an exception check after constructEmptyArray().
+        https://bugs.webkit.org/show_bug.cgi?id=158411
+
+        Reviewed by Saam Barati.
+
+        Added an exception check after each call to constructEmptyArray().
+
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        (Inspector::JSInjectedScriptHost::weakMapEntries):
+        (Inspector::JSInjectedScriptHost::weakSetEntries):
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::functionsOnStack):
+        * profiler/ProfilerBytecodeSequence.cpp:
+        (JSC::Profiler::BytecodeSequence::addSequenceProperties):
+        * profiler/ProfilerCompilation.cpp:
+        (JSC::Profiler::Compilation::toJS):
+        * profiler/ProfilerDatabase.cpp:
+        (JSC::Profiler::Database::toJS):
+        * profiler/ProfilerOSRExitSite.cpp:
+        (JSC::Profiler::OSRExitSite::toJS):
+        * profiler/ProfilerOriginStack.cpp:
+        (JSC::Profiler::OriginStack::toJS):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncConcat):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser<CharType>::parse):
+        * runtime/ModuleLoaderObject.cpp:
+        (JSC::moduleLoaderObjectRequestedModules):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ownPropertyKeys):
+        * runtime/RegExpObject.cpp:
+        (JSC::collectMatches):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncSplitFast):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncSplitFast):
+        * runtime/TemplateRegistry.cpp:
+        (JSC::TemplateRegistry::getTemplateObject):
+
+        * tests/stress/regress-158411.js: Added.
+
 2016-06-07  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp ¶

@@ -258 +258 @@
         return jsUndefined();
 
+    VM& vm = exec->vm();
     JSValue value = exec->uncheckedArgument(0);
 
@@ -263 +264 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         switch (promise->status(exec->vm())) {
         case JSPromise::Status::Pending:
@@ -283 +286 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "targetFunction", boundFunction->targetFunction()));
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundThis", boundFunction->boundThis()));
@@ -293 +298 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr, 2);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("target"), proxy->target()));
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("handler"), proxy->handler()));
@@ -305 +312 @@
             unsigned index = 0;
             JSArray* array = constructEmptyArray(exec, nullptr, 2);
+            if (UNLIKELY(vm.exception()))
+                return jsUndefined();
             array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", iteratedValue));
             array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", kind));
@@ -326 +335 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr, 2);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", arrayIterator->iteratedValue(exec)));
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
@@ -346 +357 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr, 2);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "map", mapIterator->iteratedValue()));
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
@@ -366 +379 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr, 2);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "set", setIterator->iteratedValue()));
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
@@ -374 +389 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr, 1);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "string", stringIterator->iteratedValue(exec)));
         return array;
@@ -381 +398 @@
         unsigned index = 0;
         JSArray* array = constructEmptyArray(exec, nullptr, 1);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         array->putDirectIndex(exec, index++, constructInternalProperty(exec, "object", propertyNameIterator->iteratedValue()));
         return array;
@@ -406 +425 @@
         return jsUndefined();
 
+    VM& vm = exec->vm();
     JSValue value = exec->uncheckedArgument(0);
     JSWeakMap* weakMap = jsDynamicCast<JSWeakMap*>(value);
@@ -420 +440 @@
 
     JSArray* array = constructEmptyArray(exec, nullptr);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (auto it = weakMap->weakMapData()->begin(); it != weakMap->weakMapData()->end(); ++it) {
         JSObject* entry = constructEmptyObject(exec);
@@ -450 +472 @@
         return jsUndefined();
 
+    VM& vm = exec->vm();
     JSValue value = exec->uncheckedArgument(0);
     JSWeakSet* weakSet = jsDynamicCast<JSWeakSet*>(value);
@@ -464 +487 @@
 
     JSArray* array = constructEmptyArray(exec, nullptr);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (auto it = weakSet->weakMapData()->begin(); it != weakSet->weakMapData()->end(); ++it) {
         JSObject* entry = constructEmptyObject(exec);
@@ -502 +527 @@
     else if (JSPropertyNameIterator* propertyNameIterator = jsDynamicCast<JSPropertyNameIterator*>(value)) {
         iterator = propertyNameIterator->clone(exec);
-        if (UNLIKELY(exec->hadException()))
+        if (UNLIKELY(vm.exception()))
             return JSValue();
     } else {
@@ -522 +547 @@
 
     JSArray* array = constructEmptyArray(exec, nullptr);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
 
     for (unsigned i = 0; i < numberToFetch; ++i) {
         JSValue next = iteratorStep(exec, iterator);
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             break;
         if (next.isFalse())
@@ -531 +558 @@
 
         JSValue nextValue = iteratorValue(exec, next);
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             break;
 

trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp ¶

@@ -436 +436 @@
 JSArray* ShadowChicken::functionsOnStack(ExecState* exec)
 {
+    VM& vm = exec->vm();
     JSArray* result = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
 
     iterate(
-        exec->vm(), exec,
+        vm, exec,
         [&] (const Frame& frame) -> bool {
             result->push(exec, frame.callee);

trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp ¶

@@ -78 +78 @@
 void BytecodeSequence::addSequenceProperties(ExecState* exec, JSObject* result) const
 {
+    VM& vm = exec->vm();
     JSArray* header = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return;
     for (unsigned i = 0; i < m_header.size(); ++i)
         header->putDirectIndex(exec, i, jsString(exec, String::fromUTF8(m_header[i])));
-    result->putDirect(exec->vm(), exec->propertyNames().header, header);
+    result->putDirect(vm, exec->propertyNames().header, header);
     
     JSArray* sequence = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return;
     for (unsigned i = 0; i < m_sequence.size(); ++i)
         sequence->putDirectIndex(exec, i, m_sequence[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().bytecode, sequence);
+    result->putDirect(vm, exec->propertyNames().bytecode, sequence);
 }
 

trunk/Source/JavaScriptCore/profiler/ProfilerCompilation.cpp ¶

@@ -115 +115 @@
 JSValue Compilation::toJS(ExecState* exec) const
 {
+    VM& vm = exec->vm();
     JSObject* result = constructEmptyObject(exec);
-    
-    result->putDirect(exec->vm(), exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
-    result->putDirect(exec->vm(), exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
+    result->putDirect(vm, exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
+    result->putDirect(vm, exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
     
     JSArray* profiledBytecodes = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_profiledBytecodes.size(); ++i)
         profiledBytecodes->putDirectIndex(exec, i, m_profiledBytecodes[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().profiledBytecodes, profiledBytecodes);
+    result->putDirect(vm, exec->propertyNames().profiledBytecodes, profiledBytecodes);
     
     JSArray* descriptions = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_descriptions.size(); ++i)
         descriptions->putDirectIndex(exec, i, m_descriptions[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().descriptions, descriptions);
+    result->putDirect(vm, exec->propertyNames().descriptions, descriptions);
     
     JSArray* counters = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (auto it = m_counters.begin(), end = m_counters.end(); it != end; ++it) {
         JSObject* counterEntry = constructEmptyObject(exec);
-        counterEntry->putDirect(exec->vm(), exec->propertyNames().origin, it->key.toJS(exec));
-        counterEntry->putDirect(exec->vm(), exec->propertyNames().executionCount, jsNumber(it->value->count()));
+        counterEntry->putDirect(vm, exec->propertyNames().origin, it->key.toJS(exec));
+        counterEntry->putDirect(vm, exec->propertyNames().executionCount, jsNumber(it->value->count()));
         counters->push(exec, counterEntry);
     }
-    result->putDirect(exec->vm(), exec->propertyNames().counters, counters);
+    result->putDirect(vm, exec->propertyNames().counters, counters);
     
     JSArray* exitSites = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_osrExitSites.size(); ++i)
         exitSites->putDirectIndex(exec, i, m_osrExitSites[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().osrExitSites, exitSites);
+    result->putDirect(vm, exec->propertyNames().osrExitSites, exitSites);
     
     JSArray* exits = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_osrExits.size(); ++i)
         exits->putDirectIndex(exec, i, m_osrExits[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().osrExits, exits);
+    result->putDirect(vm, exec->propertyNames().osrExits, exits);
     
-    result->putDirect(exec->vm(), exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
-    result->putDirect(exec->vm(), exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
-    result->putDirect(exec->vm(), exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
-    result->putDirect(exec->vm(), exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
+    result->putDirect(vm, exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
+    result->putDirect(vm, exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
+    result->putDirect(vm, exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
+    result->putDirect(vm, exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
     if (!m_additionalJettisonReason.isNull())
-        result->putDirect(exec->vm(), exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
+        result->putDirect(vm, exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
     
-    result->putDirect(exec->vm(), exec->propertyNames().uid, m_uid.toJS(exec));
+    result->putDirect(vm, exec->propertyNames().uid, m_uid.toJS(exec));
     
     return result;

trunk/Source/JavaScriptCore/profiler/ProfilerDatabase.cpp ¶

@@ -100 +100 @@
 JSValue Database::toJS(ExecState* exec) const
 {
+    VM& vm = exec->vm();
     JSObject* result = constructEmptyObject(exec);
     
     JSArray* bytecodes = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_bytecodes.size(); ++i)
         bytecodes->putDirectIndex(exec, i, m_bytecodes[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().bytecodes, bytecodes);
+    result->putDirect(vm, exec->propertyNames().bytecodes, bytecodes);
     
     JSArray* compilations = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_compilations.size(); ++i)
         compilations->putDirectIndex(exec, i, m_compilations[i]->toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().compilations, compilations);
+    result->putDirect(vm, exec->propertyNames().compilations, compilations);
     
     JSArray* events = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_events.size(); ++i)
         events->putDirectIndex(exec, i, m_events[i].toJS(exec));
-    result->putDirect(exec->vm(), exec->propertyNames().events, events);
+    result->putDirect(vm, exec->propertyNames().events, events);
     
     return result;

trunk/Source/JavaScriptCore/profiler/ProfilerOSRExitSite.cpp ¶

@@ -37 +37 @@
 JSValue OSRExitSite::toJS(ExecState* exec) const
 {
+    VM& vm = exec->vm();
     JSArray* result = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     for (unsigned i = 0; i < m_codeAddresses.size(); ++i)
         result->putDirectIndex(exec, i, jsString(exec, toString(RawPointer(m_codeAddresses[i]))));

trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp ¶

@@ -101 +101 @@
 JSValue OriginStack::toJS(ExecState* exec) const
 {
+    VM& vm = exec->vm();
     JSArray* result = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
     
     for (unsigned i = 0; i < m_stack.size(); ++i)

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp ¶

@@ -591 +591 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
 {
+    VM& vm = exec->vm();
     JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
     unsigned argCount = exec->argumentCount();
@@ -611 +612 @@
             // Can't use JSArray::length here because this might be a RuntimeArray!
             finalArraySize += getLength(exec, currentArray);
-            if (exec->hadException())
+            if (UNLIKELY(vm.exception()))
                 return JSValue::encode(jsUndefined());
         } else
@@ -637 +638 @@
         // We add the newTarget because the compiler gets confused between 0 being a number and a pointer.
         result = constructEmptyArray(exec, nullptr, 0, JSValue());
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             return JSValue::encode(jsUndefined());
     }
 
     curArg = thisValue.toObject(exec);
-    ASSERT(!exec->hadException());
+    ASSERT(!vm.exception());
     unsigned n = 0;
     for (unsigned i = 0; ; ++i) {
@@ -648 +649 @@
             // Can't use JSArray::length here because this might be a RuntimeArray!
             unsigned length = getLength(exec, currentArray);
-            if (exec->hadException())
+            if (UNLIKELY(vm.exception()))
                 return JSValue::encode(jsUndefined());
             for (unsigned k = 0; k < length; ++k) {
                 JSValue v = getProperty(exec, currentArray, k);
-                if (exec->hadException())
+                if (UNLIKELY(vm.exception()))
                     return JSValue::encode(jsUndefined());
                 if (v)
@@ -847 +848 @@
 {
     // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
+    VM& vm = exec->vm();
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
     if (!thisObj)
         return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
-    if (exec->hadException())
+    if (UNLIKELY(vm.exception()))
         return JSValue::encode(jsUndefined());
 
@@ -870 +872 @@
     if (speciesResult.first == SpeciesConstructResult::CreatedObject)
         result = speciesResult.second;
-    else
+    else {
         result = constructEmptyArray(exec, nullptr, end - begin);
+        if (UNLIKELY(vm.exception()))
+            return JSValue::encode(jsUndefined());
+    }
 
     unsigned n = 0;
     for (unsigned k = begin; k < end; k++, n++) {
         JSValue v = getProperty(exec, thisObj, k);
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             return JSValue::encode(jsUndefined());
         if (v)
@@ -895 +900 @@
         return JSValue::encode(JSValue());
     unsigned length = getLength(exec, thisObj);
-    if (exec->hadException())
+    if (UNLIKELY(vm.exception()))
         return JSValue::encode(jsUndefined());
 
@@ -906 +911 @@
         if (speciesResult.first == SpeciesConstructResult::CreatedObject)
             result = speciesResult.second;
-        else
+        else {
             result = constructEmptyArray(exec, nullptr);
+            if (UNLIKELY(vm.exception()))
+                return JSValue::encode(jsUndefined());
+        }
 
         setLength(exec, result, 0);
@@ -940 +948 @@
             for (unsigned k = 0; k < deleteCount; ++k) {
                 JSValue v = getProperty(exec, thisObj, k + begin);
-                if (exec->hadException())
+                if (UNLIKELY(vm.exception()))
                     return JSValue::encode(jsUndefined());
                 result->putByIndexInline(exec, k, v, true);
-                if (exec->hadException())
+                if (UNLIKELY(vm.exception()))
                     return JSValue::encode(jsUndefined());
             }
@@ -953 +961 @@
             for (unsigned k = 0; k < deleteCount; ++k) {
                 JSValue v = getProperty(exec, thisObj, k + begin);
-                if (exec->hadException())
+                if (UNLIKELY(vm.exception()))
                     return JSValue::encode(jsUndefined());
                 result->initializeIndex(vm, k, v);
@@ -963 +971 @@
     if (additionalArgs < deleteCount) {
         shift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             return JSValue::encode(jsUndefined());
     } else if (additionalArgs > deleteCount) {
         unshift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             return JSValue::encode(jsUndefined());
     }
     for (unsigned k = 0; k < additionalArgs; ++k) {
         thisObj->putByIndexInline(exec, k + begin, exec->uncheckedArgument(k + 2), true);
-        if (exec->hadException())
+        if (UNLIKELY(vm.exception()))
             return JSValue::encode(jsUndefined());
     }

trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp ¶

@@ -584 +584 @@
             case StartParseArray: {
                 JSArray* array = constructEmptyArray(m_exec, 0);
+                if (UNLIKELY(m_exec->hadException()))
+                    return JSValue();
                 objectStack.append(array);
             }

trunk/Source/JavaScriptCore/runtime/ModuleLoaderObject.cpp ¶

@@ -298 +298 @@
 
     JSArray* result = constructEmptyArray(exec, nullptr, moduleRecord->requestedModules().size());
+    if (UNLIKELY(exec->hadException()))
+        JSValue::encode(jsUndefined());
     size_t i = 0;
     for (auto& key : moduleRecord->requestedModules())

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp ¶

@@ -704 +704 @@
 JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode propertyNameMode, DontEnumPropertiesMode dontEnumPropertiesMode)
 {
+    VM& vm = exec->vm();
     PropertyNameArray properties(exec, propertyNameMode);
-    object->methodTable(exec->vm())->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
-    if (exec->hadException())
+    object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
+    if (UNLIKELY(vm.exception()))
         return nullptr;
 
     JSArray* keys = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
 
     switch (propertyNameMode) {
@@ -728 +731 @@
             ASSERT(identifier.isSymbol());
             if (!exec->propertyNames().isPrivateName(identifier))
-                keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
+                keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
         }
         break;
@@ -747 +750 @@
         // To ensure the order defined in the spec (9.1.12), we append symbols at the last elements of keys.
         for (const auto& identifier : propertySymbols)
-            keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
+            keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
 
         break;

trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp ¶

@@ -180 +180 @@
     
     JSArray* array = constructEmptyArray(exec, nullptr);
+    if (UNLIKELY(vm.exception()))
+        return jsUndefined();
 
     auto iterate = [&] () {

trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp ¶

@@ -564 +564 @@
     // 12. Let lengthA be 0.
     JSArray* result = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return JSValue::encode(jsUndefined());
     unsigned resultLength = 0;
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp ¶

@@ -1083 +1083 @@
 EncodedJSValue JSC_HOST_CALL stringProtoFuncSplitFast(ExecState* exec)
 {
+    VM& vm = exec->vm();
     JSValue thisValue = exec->thisValue();
     ASSERT(checkObjectCoercible(thisValue));
@@ -1089 +1090 @@
     // 7. Let s be the number of characters in S.
     String input = thisValue.toString(exec)->value(exec);
-    if (exec->hadException())
+    if (UNLIKELY(vm.exception()))
         return JSValue::encode(jsUndefined());
     ASSERT(!input.isNull());
@@ -1096 +1097 @@
     //    where Array is the standard built-in constructor with that name.
     JSArray* result = constructEmptyArray(exec, 0);
+    if (UNLIKELY(vm.exception()))
+        return JSValue::encode(jsUndefined());
 
     // 5. Let lengthA be 0.
@@ -1111 +1114 @@
     JSValue separatorValue = exec->uncheckedArgument(0);
     String separator = separatorValue.toString(exec)->value(exec);
-    if (exec->hadException())
+    if (UNLIKELY(vm.exception()))
         return JSValue::encode(jsUndefined());
 

trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp ¶

@@ -46 +46 @@
         return cached;
 
+    VM& vm = exec->vm();
     unsigned count = templateKey.cookedStrings().size();
     JSArray* templateObject = constructEmptyArray(exec, nullptr, count);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
     JSArray* rawObject = constructEmptyArray(exec, nullptr, count);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
 
     for (unsigned index = 0; index < count; ++index) {
@@ -58 +63 @@
     ASSERT(!exec->hadException());
 
-    templateObject->putDirect(exec->vm(), exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
+    templateObject->putDirect(vm, exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
 
     objectConstructorFreeze(exec, templateObject);

trunk/Source/WebCore/ChangeLog ¶

@@ +1 @@
+2016-06-07  Mark Lam  <mark.lam@apple.com>
+
+        Need an exception check after constructEmptyArray().
+        https://bugs.webkit.org/show_bug.cgi?id=158411
+
+        Reviewed by Saam Barati.
+
+        A stress test for this was added in JavaScriptCore.
+
+        * bindings/js/IDBBindingUtilities.cpp:
+        (WebCore::toJS):
+        * bindings/js/JSCommandLineAPIHostCustom.cpp:
+        (WebCore::getJSListenerFunctions):
+        * bindings/js/JSCryptoKeySerializationJWK.cpp:
+        (WebCore::buildJSONForRSAComponents):
+        (WebCore::addBoolToJSON):
+        (WebCore::addUsagesToJSON):
+        (WebCore::JSCryptoKeySerializationJWK::serialize):
+        * bindings/js/JSDOMBinding.h:
+        (WebCore::toJS):
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::deserialize):
+
 2016-06-07  Antoine Quint  <graouts@apple.com>
 

trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp ¶

@@ -89 +89 @@
     }
 
-    Locker<JSLock> locker(state.vm().apiLock());
+    VM& vm = state.vm();
+    Locker<JSLock> locker(vm.apiLock());
 
     switch (key->type()) {
@@ -95 +96 @@
         auto& inArray = key->array();
         unsigned size = inArray.size();
-        auto& outArray = *constructEmptyArray(&state, 0, &globalObject, size);
+        auto outArray = constructEmptyArray(&state, 0, &globalObject, size);
+        if (UNLIKELY(vm.exception()))
+            return jsUndefined();
         for (size_t i = 0; i < size; ++i)
-            outArray.putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
-        return &outArray;
+            outArray->putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
+        return outArray;
     }
     case KeyType::String:

trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp ¶

@@ -68 +68 @@
 static JSArray* getJSListenerFunctions(ExecState& state, Document* document, const EventListenerInfo& listenerInfo)
 {
+    VM& vm = state.vm();
     JSArray* result = constructEmptyArray(&state, nullptr);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
     size_t handlersCount = listenerInfo.eventListenerVector.size();
     for (size_t i = 0, outputIndex = 0; i < handlersCount; ++i) {
@@ -86 +89 @@
 
         JSObject* listenerEntry = constructEmptyObject(&state);
-        listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "listener"), function);
-        listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
+        listenerEntry->putDirect(vm, Identifier::fromString(&state, "listener"), function);
+        listenerEntry->putDirect(vm, Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
         result->putDirectIndex(&state, outputIndex++, JSValue(listenerEntry));
     }

trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp ¶

@@ -535 +535 @@
         return;
 
+    VM& vm = exec->vm();
     JSArray* oth = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), data.otherPrimeInfos().size());
+    if (UNLIKELY(vm.exception()))
+        return;
     for (size_t i = 0, size = data.otherPrimeInfos().size(); i < size; ++i) {
         JSObject* jsPrimeInfo = constructEmptyObject(exec);
@@ -543 +546 @@
         oth->putDirectIndex(exec, i, jsPrimeInfo);
     }
-    result->putDirect(exec->vm(), Identifier::fromString(exec, "oth"), oth);
+    result->putDirect(vm, Identifier::fromString(exec, "oth"), oth);
 }
 
@@ -656 +659 @@
 static void addUsagesToJSON(ExecState* exec, JSObject* json, CryptoKeyUsage usages)
 {
+    VM& vm = exec->vm();
     JSArray* keyOps = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), 0);
+    if (UNLIKELY(vm.exception()))
+        return;
 
     unsigned index = 0;
@@ -676 +682 @@
         keyOps->putDirectIndex(exec, index++, jsNontrivialString(exec, ASCIILiteral("deriveBits")));
 
-    json->putDirect(exec->vm(), Identifier::fromString(exec, "key_ops"), keyOps);
+    json->putDirect(vm, Identifier::fromString(exec, "key_ops"), keyOps);
 }
 

trunk/Source/WebCore/bindings/js/JSDOMBinding.h ¶

@@ -541 +541 @@
 {
     JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
+    if (UNLIKELY(exec->hadException()))
+        return JSC::jsUndefined();
     for (size_t i = 0; i < vector.size(); ++i)
         array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i]));
@@ -549 +551 @@
 {
     JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
+    if (UNLIKELY(exec->hadException()))
+        return JSC::jsUndefined();
     for (size_t i = 0; i < vector.size(); ++i)
         array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i].get()));

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp ¶

@@ -2464 +2464 @@
             }
             JSArray* outArray = constructEmptyArray(m_exec, 0, m_globalObject, length);
+            if (UNLIKELY(m_exec->hadException()))
+                goto error;
             m_gcBuffer.append(outArray);
             outputObjectStack.append(outArray);