Changeset 209020 in webkit
- Timestamp:
- Nov 28, 2016 2:29:39 PM (7 years ago)
- Location:
- trunk/Source
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r209018 r209020 1 2016-11-28 Mark Lam <mark.lam@apple.com> 2 3 Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp. 4 https://bugs.webkit.org/show_bug.cgi?id=165051 5 6 Reviewed by Saam Barati. 7 8 Also, 9 1. Replaced returning JSValue() with returning { }. 10 2. Replaced uses of exec->propertyNames() with vm.propertyNames. 11 12 * runtime/ObjectConstructor.cpp: 13 (JSC::constructObject): 14 (JSC::objectConstructorGetPrototypeOf): 15 (JSC::objectConstructorGetOwnPropertyDescriptor): 16 (JSC::objectConstructorGetOwnPropertyDescriptors): 17 (JSC::objectConstructorGetOwnPropertyNames): 18 (JSC::objectConstructorGetOwnPropertySymbols): 19 (JSC::objectConstructorKeys): 20 (JSC::ownEnumerablePropertyKeys): 21 (JSC::toPropertyDescriptor): 22 (JSC::defineProperties): 23 (JSC::objectConstructorDefineProperties): 24 (JSC::objectConstructorCreate): 25 (JSC::setIntegrityLevel): 26 (JSC::objectConstructorSeal): 27 (JSC::objectConstructorPreventExtensions): 28 (JSC::objectConstructorIsSealed): 29 (JSC::objectConstructorIsFrozen): 30 (JSC::ownPropertyKeys): 31 * runtime/ObjectPrototype.cpp: 32 (JSC::objectProtoFuncValueOf): 33 (JSC::objectProtoFuncHasOwnProperty): 34 (JSC::objectProtoFuncIsPrototypeOf): 35 (JSC::objectProtoFuncDefineGetter): 36 (JSC::objectProtoFuncDefineSetter): 37 (JSC::objectProtoFuncLookupGetter): 38 (JSC::objectProtoFuncLookupSetter): 39 (JSC::objectProtoFuncToLocaleString): 40 (JSC::objectProtoFuncToString): 41 1 42 2016-11-26 Mark Lam <mark.lam@apple.com> 2 43 -
trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
r206948 r209020 134 134 135 135 // 3. Return ToObject(value). 136 scope.release(); 136 137 return arg.toObject(exec, globalObject); 137 138 } … … 165 166 JSObject* object = exec->argument(0).toObject(exec); 166 167 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 167 return JSValue::encode(object->getPrototype(exec->vm(), exec)); 168 scope.release(); 169 return JSValue::encode(object->getPrototype(vm, exec)); 168 170 } 169 171 … … 195 197 auto scope = DECLARE_THROW_SCOPE(vm); 196 198 PropertyDescriptor descriptor; 197 if (!object->getOwnPropertyDescriptor(exec, propertyName, descriptor)) 199 if (!object->getOwnPropertyDescriptor(exec, propertyName, descriptor)) { 200 scope.release(); 198 201 return jsUndefined(); 199 RETURN_IF_EXCEPTION(scope, JSValue()); 202 } 203 RETURN_IF_EXCEPTION(scope, { }); 200 204 201 205 JSObject* result = constructObjectFromPropertyDescriptor(exec, descriptor); 206 ASSERT(!!scope.exception() == !result); 202 207 if (!result) 203 208 return jsUndefined(); … … 211 216 PropertyNameArray properties(exec, PropertyNameMode::StringsAndSymbols); 212 217 object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(DontEnumPropertiesMode::Include)); 213 RETURN_IF_EXCEPTION(scope, JSValue());218 RETURN_IF_EXCEPTION(scope, { }); 214 219 215 220 JSObject* descriptors = constructEmptyObject(exec); 216 RETURN_IF_EXCEPTION(scope, JSValue());221 RETURN_IF_EXCEPTION(scope, { }); 217 222 218 223 for (auto& propertyName : properties) { 219 224 PropertyDescriptor descriptor; 220 225 bool didGetDescriptor = object->getOwnPropertyDescriptor(exec, propertyName, descriptor); 221 RETURN_IF_EXCEPTION(scope, JSValue());226 RETURN_IF_EXCEPTION(scope, { }); 222 227 223 228 if (!didGetDescriptor) … … 225 230 226 231 JSObject* fromDescriptor = constructObjectFromPropertyDescriptor(exec, descriptor); 232 ASSERT(!!scope.exception() == !fromDescriptor); 227 233 if (!fromDescriptor) 228 234 return jsUndefined(); … … 244 250 auto propertyName = exec->argument(1).toPropertyKey(exec); 245 251 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 252 scope.release(); 246 253 return JSValue::encode(objectConstructorGetOwnPropertyDescriptor(exec, object, propertyName)); 247 254 } … … 253 260 JSObject* object = exec->argument(0).toObject(exec); 254 261 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 262 scope.release(); 255 263 return JSValue::encode(objectConstructorGetOwnPropertyDescriptors(exec, object)); 256 264 } … … 263 271 JSObject* object = exec->argument(0).toObject(exec); 264 272 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 273 scope.release(); 265 274 return JSValue::encode(ownPropertyKeys(exec, object, PropertyNameMode::Strings, DontEnumPropertiesMode::Include)); 266 275 } … … 273 282 JSObject* object = exec->argument(0).toObject(exec); 274 283 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 284 scope.release(); 275 285 return JSValue::encode(ownPropertyKeys(exec, object, PropertyNameMode::Symbols, DontEnumPropertiesMode::Include)); 276 286 } … … 283 293 JSObject* object = exec->argument(0).toObject(exec); 284 294 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 295 scope.release(); 285 296 return JSValue::encode(ownPropertyKeys(exec, object, PropertyNameMode::Strings, DontEnumPropertiesMode::Exclude)); 286 297 } … … 292 303 JSObject* object = exec->argument(0).toObject(exec); 293 304 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 305 scope.release(); 294 306 return JSValue::encode(ownPropertyKeys(exec, object, PropertyNameMode::StringsAndSymbols, DontEnumPropertiesMode::Exclude)); 295 307 } … … 308 320 JSObject* description = asObject(in); 309 321 310 if (description->hasProperty(exec, exec->propertyNames().enumerable)) { 311 JSValue value = description->get(exec, exec->propertyNames().enumerable); 322 bool hasProperty = description->hasProperty(exec, vm.propertyNames->enumerable); 323 ASSERT(!scope.exception() || !hasProperty); 324 if (hasProperty) { 325 JSValue value = description->get(exec, vm.propertyNames->enumerable); 312 326 RETURN_IF_EXCEPTION(scope, false); 313 327 desc.setEnumerable(value.toBoolean(exec)); … … 315 329 RETURN_IF_EXCEPTION(scope, false); 316 330 317 if (description->hasProperty(exec, exec->propertyNames().configurable)) { 318 JSValue value = description->get(exec, exec->propertyNames().configurable); 331 hasProperty = description->hasProperty(exec, vm.propertyNames->configurable); 332 ASSERT(!scope.exception() || !hasProperty); 333 if (hasProperty) { 334 JSValue value = description->get(exec, vm.propertyNames->configurable); 319 335 RETURN_IF_EXCEPTION(scope, false); 320 336 desc.setConfigurable(value.toBoolean(exec)); … … 323 339 324 340 JSValue value; 325 if (description->hasProperty(exec, exec->propertyNames().value)) { 326 JSValue value = description->get(exec, exec->propertyNames().value); 341 hasProperty = description->hasProperty(exec, vm.propertyNames->value); 342 ASSERT(!scope.exception() || !hasProperty); 343 if (hasProperty) { 344 JSValue value = description->get(exec, vm.propertyNames->value); 327 345 RETURN_IF_EXCEPTION(scope, false); 328 346 desc.setValue(value); … … 330 348 RETURN_IF_EXCEPTION(scope, false); 331 349 332 if (description->hasProperty(exec, exec->propertyNames().writable)) { 333 JSValue value = description->get(exec, exec->propertyNames().writable); 350 hasProperty = description->hasProperty(exec, vm.propertyNames->writable); 351 ASSERT(!scope.exception() || !hasProperty); 352 if (hasProperty) { 353 JSValue value = description->get(exec, vm.propertyNames->writable); 334 354 RETURN_IF_EXCEPTION(scope, false); 335 355 desc.setWritable(value.toBoolean(exec)); … … 337 357 RETURN_IF_EXCEPTION(scope, false); 338 358 339 if (description->hasProperty(exec, exec->propertyNames().get)) { 340 JSValue get = description->get(exec, exec->propertyNames().get); 359 hasProperty = description->hasProperty(exec, vm.propertyNames->get); 360 ASSERT(!scope.exception() || !hasProperty); 361 if (hasProperty) { 362 JSValue get = description->get(exec, vm.propertyNames->get); 341 363 RETURN_IF_EXCEPTION(scope, false); 342 364 if (!get.isUndefined()) { … … 351 373 RETURN_IF_EXCEPTION(scope, false); 352 374 353 if (description->hasProperty(exec, exec->propertyNames().set)) { 354 JSValue set = description->get(exec, exec->propertyNames().set); 375 hasProperty = description->hasProperty(exec, vm.propertyNames->set); 376 ASSERT(!scope.exception() || !hasProperty); 377 if (hasProperty) { 378 JSValue set = description->get(exec, vm.propertyNames->set); 355 379 RETURN_IF_EXCEPTION(scope, false); 356 380 if (!set.isUndefined()) { … … 409 433 PropertyNameArray propertyNames(exec, PropertyNameMode::StringsAndSymbols); 410 434 asObject(properties)->methodTable(vm)->getOwnPropertyNames(asObject(properties), exec, propertyNames, EnumerationMode(DontEnumPropertiesMode::Exclude)); 411 RETURN_IF_EXCEPTION(scope, JSValue());435 RETURN_IF_EXCEPTION(scope, { }); 412 436 size_t numProperties = propertyNames.size(); 413 437 Vector<PropertyDescriptor> descriptors; … … 415 439 for (size_t i = 0; i < numProperties; i++) { 416 440 JSValue prop = properties->get(exec, propertyNames[i]); 417 RETURN_IF_EXCEPTION(scope, JSValue());441 RETURN_IF_EXCEPTION(scope, { }); 418 442 PropertyDescriptor descriptor; 419 if (!toPropertyDescriptor(exec, prop, descriptor)) 443 bool success = toPropertyDescriptor(exec, prop, descriptor); 444 ASSERT(!scope.exception() || !success); 445 if (UNLIKELY(!success)) 420 446 return jsNull(); 421 447 descriptors.append(descriptor); … … 432 458 for (size_t i = 0; i < numProperties; i++) { 433 459 Identifier propertyName = propertyNames[i]; 434 if ( exec->propertyNames().isPrivateName(propertyName))460 if (vm.propertyNames->isPrivateName(propertyName)) 435 461 continue; 436 462 object->methodTable(vm)->defineOwnProperty(object, exec, propertyName, descriptors[i], true); 437 RETURN_IF_EXCEPTION(scope, JSValue());463 RETURN_IF_EXCEPTION(scope, { }); 438 464 } 439 465 return object; … … 449 475 JSObject* targetObj = asObject(exec->argument(0)); 450 476 JSObject* props = exec->argument(1).toObject(exec); 451 if (!props) 452 return JSValue::encode(JSValue()); 477 ASSERT(!!scope.exception() == !props); 478 if (UNLIKELY(!props)) 479 return encodedJSValue(); 480 scope.release(); 453 481 return JSValue::encode(defineProperties(exec, targetObj, props)); 454 482 } … … 469 497 if (!exec->argument(1).isObject()) 470 498 return throwVMTypeError(exec, scope, ASCIILiteral("Property descriptor list must be an Object.")); 499 scope.release(); 471 500 return JSValue::encode(defineProperties(exec, newObject, asObject(exec->argument(1)))); 472 501 } … … 502 531 desc.setConfigurable(false); 503 532 else { 504 if (!object->getOwnPropertyDescriptor(exec, propertyName, desc)) 533 bool hasPropertyDescriptor = object->getOwnPropertyDescriptor(exec, propertyName, desc); 534 RETURN_IF_EXCEPTION(scope, false); 535 if (!hasPropertyDescriptor) 505 536 continue; 506 537 … … 535 566 bool success = setIntegrityLevel<IntegrityLevel::Sealed>(exec, vm, object); 536 567 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 537 if ( !success) {568 if (UNLIKELY(!success)) { 538 569 throwTypeError(exec, scope, ASCIILiteral("Unable to prevent extension in Object.seal")); 539 570 return encodedJSValue(); … … 575 606 EncodedJSValue JSC_HOST_CALL objectConstructorPreventExtensions(ExecState* exec) 576 607 { 608 VM& vm = exec->vm(); 577 609 JSValue argument = exec->argument(0); 578 610 if (!argument.isObject()) 579 611 return JSValue::encode(argument); 580 612 JSObject* object = asObject(argument); 581 object->methodTable( exec->vm())->preventExtensions(object, exec);613 object->methodTable(vm)->preventExtensions(object, exec); 582 614 return JSValue::encode(object); 583 615 } … … 604 636 for (PropertyNameArray::const_iterator iter = properties.begin(); iter != end; ++iter) { 605 637 Identifier propertyName = *iter; 606 if ( exec->propertyNames().isPrivateName(propertyName))638 if (vm.propertyNames->isPrivateName(propertyName)) 607 639 continue; 608 640 // a. Let desc be the result of calling the [[GetOwnProperty]] internal method of O with P. … … 643 675 for (PropertyNameArray::const_iterator iter = properties.begin(); iter != end; ++iter) { 644 676 Identifier propertyName = *iter; 645 if ( exec->propertyNames().isPrivateName(propertyName))677 if (vm.propertyNames->isPrivateName(propertyName)) 646 678 continue; 647 679 // a. Let desc be the result of calling the [[GetOwnProperty]] internal method of O with P. … … 699 731 ASSERT(!identifier.isSymbol()); 700 732 keys->push(exec, jsOwnedString(exec, identifier.string())); 733 RETURN_IF_EXCEPTION(scope, nullptr); 701 734 } 702 735 break; … … 708 741 const auto& identifier = properties[i]; 709 742 ASSERT(identifier.isSymbol()); 710 if (! exec->propertyNames().isPrivateName(identifier))743 if (!vm.propertyNames->isPrivateName(identifier)) { 711 744 keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl()))); 745 RETURN_IF_EXCEPTION(scope, nullptr); 746 } 712 747 } 713 748 break; … … 720 755 const auto& identifier = properties[i]; 721 756 if (identifier.isSymbol()) { 722 if (! exec->propertyNames().isPrivateName(identifier))757 if (!vm.propertyNames->isPrivateName(identifier)) 723 758 propertySymbols.append(identifier); 724 } else 759 } else { 725 760 keys->push(exec, jsOwnedString(exec, identifier.string())); 761 RETURN_IF_EXCEPTION(scope, nullptr); 762 } 726 763 } 727 764 728 765 // To ensure the order defined in the spec (9.1.12), we append symbols at the last elements of keys. 729 for (const auto& identifier : propertySymbols) 766 for (const auto& identifier : propertySymbols) { 730 767 keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl()))); 768 RETURN_IF_EXCEPTION(scope, nullptr); 769 } 731 770 732 771 break; -
trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp
r208985 r209020 84 84 JSValue thisValue = exec->thisValue().toThis(exec, StrictMode); 85 85 JSObject* valueObj = thisValue.toObject(exec); 86 if ( !valueObj)87 return JSValue::encode(JSValue());86 if (UNLIKELY(!valueObj)) 87 return encodedJSValue(); 88 88 return JSValue::encode(valueObj); 89 89 } … … 98 98 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 99 99 JSObject* thisObject = thisValue.toObject(exec); 100 ASSERT(!!scope.exception() == !thisObject); 100 101 if (UNLIKELY(!thisObject)) 101 return JSValue::encode(JSValue());102 return encodedJSValue(); 102 103 103 104 Structure* structure = thisObject->structure(vm); … … 124 125 JSValue thisValue = exec->thisValue().toThis(exec, StrictMode); 125 126 JSObject* thisObj = thisValue.toObject(exec); 126 if (!thisObj) 127 return JSValue::encode(JSValue()); 127 ASSERT(!!scope.exception() == !thisObj); 128 if (UNLIKELY(!thisObj)) 129 return encodedJSValue(); 128 130 129 131 if (!exec->argument(0).isObject()) … … 165 167 166 168 bool shouldThrow = true; 169 scope.release(); 167 170 thisObject->methodTable(vm)->defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow); 168 171 … … 192 195 193 196 bool shouldThrow = true; 197 scope.release(); 194 198 thisObject->methodTable(vm)->defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow); 195 199 … … 209 213 210 214 PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); 211 if (thisObject->getPropertySlot(exec, propertyName, slot)) { 215 bool hasProperty = thisObject->getPropertySlot(exec, propertyName, slot); 216 ASSERT(!scope.exception() || !hasProperty); 217 if (hasProperty) { 212 218 if (slot.isAccessor()) { 213 219 GetterSetter* getterSetter = slot.getterSetter(); … … 237 243 238 244 PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); 239 if (thisObject->getPropertySlot(exec, propertyName, slot)) { 245 bool hasProperty = thisObject->getPropertySlot(exec, propertyName, slot); 246 ASSERT(!scope.exception() || !hasProperty); 247 if (hasProperty) { 240 248 if (slot.isAccessor()) { 241 249 GetterSetter* getterSetter = slot.getterSetter(); … … 279 287 280 288 // 2. Let toString be the result of calling the [[Get]] internal method of O passing "toString" as the argument. 281 JSValue toString = object->get(exec, exec->propertyNames().toString); 289 JSValue toString = object->get(exec, vm.propertyNames->toString); 290 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 282 291 283 292 // 3. If IsCallable(toString) is false, throw a TypeError exception. … … 288 297 289 298 // 4. Return the result of calling the [[Call]] internal method of toString passing O as the this value and no arguments. 299 scope.release(); 290 300 return JSValue::encode(call(exec, toString, callType, callData, object, exec->emptyList())); 291 301 } … … 300 310 return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString()); 301 311 JSObject* thisObject = thisValue.toObject(exec); 312 ASSERT(!!scope.exception() == !thisObject); 302 313 if (!thisObject) 303 314 return JSValue::encode(jsUndefined()); … … 307 318 return JSValue::encode(result); 308 319 309 PropertyName toStringTagSymbol = exec->propertyNames().toStringTagSymbol; 320 PropertyName toStringTagSymbol = vm.propertyNames->toStringTagSymbol; 321 scope.release(); 310 322 return JSValue::encode(thisObject->getPropertySlot(exec, toStringTagSymbol, [&] (bool found, PropertySlot& toStringTagSlot) -> JSValue { 311 323 if (found) { 312 324 JSValue stringTag = toStringTagSlot.getValue(exec, toStringTagSymbol); 313 RETURN_IF_EXCEPTION(scope, JSValue());325 RETURN_IF_EXCEPTION(scope, { }); 314 326 if (stringTag.isString()) { 315 327 JSRopeString::RopeBuilder ropeBuilder(vm); … … 324 336 } 325 337 326 String tag = thisObject->methodTable( exec->vm())->toStringName(thisObject, exec);327 RETURN_IF_EXCEPTION(scope, JSValue());338 String tag = thisObject->methodTable(vm)->toStringName(thisObject, exec); 339 RETURN_IF_EXCEPTION(scope, { }); 328 340 String newString = WTF::tryMakeString("[object ", WTFMove(tag), "]"); 329 341 if (!newString) -
trunk/Source/WebCore/ChangeLog
r209019 r209020 1 2016-11-28 Mark Lam <mark.lam@apple.com> 2 3 Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp. 4 https://bugs.webkit.org/show_bug.cgi?id=165051 5 6 Reviewed by Saam Barati. 7 8 No new tests because this is covered by the existing test 9 http/tests/security/cross-frame-access-object-prototype.html with the help of a 10 new ASSERT in ObjectPrototype.cpp. 11 12 Fixed jsDOMWindowGetOwnPropertySlotRestrictedAccess() to return false when it 13 throws an exception. 14 15 * bindings/js/JSDOMWindowCustom.cpp: 16 (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): 17 1 18 2016-11-28 Tim Horton <timothy_horton@apple.com> 2 19 -
trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
r208985 r209020 135 135 throwSecurityError(*exec, scope, errorMessage); 136 136 slot.setUndefined(); 137 return true;137 return false; 138 138 } 139 139 … … 149 149 throwSecurityError(*exec, scope, errorMessage); 150 150 slot.setUndefined(); 151 return true;151 return false; 152 152 } 153 153
Note: See TracChangeset
for help on using the changeset viewer.