Changeset 209080 in webkit

Timestamp:

Nov 29, 2016, 11:08:59 AM (8 years ago)

Author:

mark.lam@apple.com

Message:

Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
​https://bugs.webkit.org/show_bug.cgi?id=165053

Reviewed by Saam Barati.

Also replaced returning JSValue() with returning { }.

• runtime/ProxyConstructor.cpp:

(JSC::constructProxyObject):

• runtime/ProxyObject.cpp:

(JSC::ProxyObject::structureForTarget):
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::getOwnPropertySlotCommon):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::putByIndexCommon):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/ProxyConstructor.cpp (modified) (1 diff)
• runtime/ProxyObject.cpp (modified) (32 diffs)

trunk/Source/JavaScriptCore/ChangeLog ¶

@@ +1 @@
+2016-11-29  Mark Lam  <mark.lam@apple.com>
+
+        Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
+        https://bugs.webkit.org/show_bug.cgi?id=165053
+
+        Reviewed by Saam Barati.
+
+        Also replaced returning JSValue() with returning { }.
+
+        * runtime/ProxyConstructor.cpp:
+        (JSC::constructProxyObject):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::structureForTarget):
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::getOwnPropertySlotCommon):
+        (JSC::ProxyObject::performPut):
+        (JSC::ProxyObject::putByIndexCommon):
+        (JSC::performProxyCall):
+        (JSC::performProxyConstruct):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performPreventExtensions):
+        (JSC::ProxyObject::performIsExtensible):
+        (JSC::ProxyObject::performDefineOwnProperty):
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        (JSC::ProxyObject::performSetPrototype):
+        (JSC::ProxyObject::performGetPrototype):
+
 2016-11-28  Matt Baker  <mattbaker@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp ¶

@@ -100 +100 @@
     JSValue target = args.at(0);
     JSValue handler = args.at(1);
+    scope.release();
     return JSValue::encode(ProxyObject::create(exec, exec->lexicalGlobalObject(), target, handler));
 }

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp ¶

@@ -75 +75 @@
     JSObject* targetAsObject = jsCast<JSObject*>(target);
     CallData ignoredCallData;
-    bool isCallable = targetAsObject->methodTable()->getCallData(targetAsObject, ignoredCallData) != CallType::None;
+    VM& vm = globalObject->vm();
+    bool isCallable = targetAsObject->methodTable(vm)->getCallData(targetAsObject, ignoredCallData) != CallType::None;
     return isCallable ? globalObject->callableProxyObjectStructure() : globalObject->proxyObjectStructure();
 }
@@ -122 +123 @@
     if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec, scope);
-        return JSValue();
+        return { };
     }
 
@@ -131 +132 @@
     };
 
-    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
+        scope.release();
         return performDefaultGet();
+    }
 
     JSValue handlerValue = proxyObject->handler();
@@ -142 +145 @@
     CallType callType;
     JSValue getHandler = handler->getMethod(exec, callData, callType, vm.propertyNames->get, ASCIILiteral("'get' property of a Proxy's handler object should be callable"));
-    RETURN_IF_EXCEPTION(scope, JSValue());
-
-    if (getHandler.isUndefined())
+    RETURN_IF_EXCEPTION(scope, { });
+
+    if (getHandler.isUndefined()) {
+        scope.release();
         return performDefaultGet();
+    }
 
     MarkedArgumentBuffer arguments;
@@ -152 +157 @@
     arguments.append(receiver);
     JSValue trapResult = call(exec, getHandler, callType, callData, handler, arguments);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     PropertyDescriptor descriptor;
@@ -165 +170 @@
     }
 
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     return trapResult;
@@ -195 +200 @@
     };
 
-    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
+        scope.release();
         return performDefaultGetOwnProperty();
+    }
 
     JSValue handlerValue = this->handler();
@@ -209 +216 @@
     JSValue getOwnPropertyDescriptorMethod = handler->getMethod(exec, callData, callType, makeIdentifier(vm, "getOwnPropertyDescriptor"), ASCIILiteral("'getOwnPropertyDescriptor' property of a Proxy's handler should be callable"));
     RETURN_IF_EXCEPTION(scope, false);
-    if (getOwnPropertyDescriptorMethod.isUndefined())
+    if (getOwnPropertyDescriptorMethod.isUndefined()) {
+        scope.release();
         return performDefaultGetOwnProperty();
+    }
 
     MarkedArgumentBuffer arguments;
@@ -257 +266 @@
     bool valid = validateAndApplyPropertyDescriptor(exec, nullptr, propertyName, isExtensible,
         trapResultAsDescriptor, isTargetPropertyDescriptorDefined, targetPropertyDescriptor, throwException);
+    RETURN_IF_EXCEPTION(scope, false);
     if (!valid) {
         throwVMTypeError(exec, scope, ASCIILiteral("Result from 'getOwnPropertyDescriptor' fails the IsCompatiblePropertyDescriptor test"));
@@ -296 +306 @@
     };
 
-    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
+        scope.release();
         return performDefaultHasProperty();
+    }
 
     JSValue handlerValue = this->handler();
@@ -310 +322 @@
     JSValue hasMethod = handler->getMethod(exec, callData, callType, vm.propertyNames->has, ASCIILiteral("'has' property of a Proxy's handler should be callable"));
     RETURN_IF_EXCEPTION(scope, false);
-    if (hasMethod.isUndefined())
+    if (hasMethod.isUndefined()) {
+        scope.release();
         return performDefaultHasProperty();
+    }
 
     MarkedArgumentBuffer arguments;
@@ -355 +369 @@
     switch (slot.internalMethodType()) {
     case PropertySlot::InternalMethodType::Get:
+        scope.release();
         return performGet(exec, propertyName, slot);
     case PropertySlot::InternalMethodType::GetOwnProperty:
+        scope.release();
         return performInternalMethodGetOwnProperty(exec, propertyName, slot);
     case PropertySlot::InternalMethodType::HasProperty:
+        scope.release();
         return performHasProperty(exec, propertyName, slot);
     default:
@@ -391 +408 @@
     }
 
-    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
+        scope.release();
         return performDefaultPut();
+    }
 
     JSValue handlerValue = this->handler();
@@ -406 +425 @@
     RETURN_IF_EXCEPTION(scope, false);
     JSObject* target = this->target();
-    if (setMethod.isUndefined())
+    if (setMethod.isUndefined()) {
+        scope.release();
         return performDefaultPut();
+    }
 
     MarkedArgumentBuffer arguments;
@@ -461 +482 @@
         return target->methodTable(vm)->put(target, exec, ident.impl(), putValue, slot);
     };
+    scope.release();
     return performPut(exec, putValue, thisValue, ident.impl(), performDefaultPut);
 }
@@ -476 +498 @@
     if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec, scope);
-        return JSValue::encode(JSValue());
+        return encodedJSValue();
     }
     ProxyObject* proxy = jsCast<ProxyObject*>(exec->callee());
@@ -493 +515 @@
         CallType callType = target->methodTable(vm)->getCallData(target, callData);
         RELEASE_ASSERT(callType != CallType::None);
+        scope.release();
         return JSValue::encode(call(exec, target, callType, callData, exec->thisValue(), ArgList(exec)));
     }
@@ -502 +525 @@
     arguments.append(exec->thisValue());
     arguments.append(argArray);
+    scope.release();
     return JSValue::encode(call(exec, applyMethod, callType, callData, handler, arguments));
 }
@@ -524 +548 @@
     if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec, scope);
-        return JSValue::encode(JSValue());
+        return encodedJSValue();
     }
     ProxyObject* proxy = jsCast<ProxyObject*>(exec->callee());
@@ -541 +565 @@
         ConstructType constructType = target->methodTable(vm)->getConstructData(target, constructData);
         RELEASE_ASSERT(constructType != ConstructType::None);
+        scope.release();
         return JSValue::encode(construct(exec, target, constructType, constructData, ArgList(exec), exec->newTarget()));
     }
@@ -580 +605 @@
     }
 
-    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
+    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
+        scope.release();
         return performDefaultDelete();
+    }
 
     JSValue handlerValue = this->handler();
@@ -595 +622 @@
     RETURN_IF_EXCEPTION(scope, false);
     JSObject* target = this->target();
-    if (deletePropertyMethod.isUndefined())
+    if (deletePropertyMethod.isUndefined()) {
+        scope.release();
         return performDefaultDelete();
+    }
 
     MarkedArgumentBuffer arguments;
@@ -665 +694 @@
     RETURN_IF_EXCEPTION(scope, false);
     JSObject* target = this->target();
-    if (preventExtensionsMethod.isUndefined())
+    if (preventExtensionsMethod.isUndefined()) {
+        scope.release();
         return target->methodTable(vm)->preventExtensions(target, exec);
+    }
 
     MarkedArgumentBuffer arguments;
@@ -715 +746 @@
 
     JSObject* target = this->target();
-    if (isExtensibleMethod.isUndefined())
+    if (isExtensibleMethod.isUndefined()) {
+        scope.release();
         return target->isExtensible(exec);
+    }
 
     MarkedArgumentBuffer arguments;
@@ -759 +792 @@
     JSObject* target = this->target();
     auto performDefaultDefineOwnProperty = [&] {
+        scope.release();
         return target->methodTable(vm)->defineOwnProperty(target, exec, propertyName, descriptor, shouldThrow);
     };
@@ -822 +856 @@
     bool throwException = false;
     bool isCompatibleDescriptor = validateAndApplyPropertyDescriptor(exec, nullptr, propertyName, targetIsExtensible, descriptor, isCurrentDefined, current, throwException);
+    RETURN_IF_EXCEPTION(scope, false);    
     if (!isCompatibleDescriptor) {
         throwVMTypeError(exec, scope, ASCIILiteral("Proxy's 'defineProperty' trap did not define a property on its target that is compatible with the trap's input descriptor"));
@@ -861 +896 @@
     JSObject* target = this->target();
     if (ownKeysMethod.isUndefined()) {
-        target->methodTable(exec->vm())->getOwnPropertyNames(target, exec, trapResult, enumerationMode);
+        scope.release();
+        target->methodTable(vm)->getOwnPropertyNames(target, exec, trapResult, enumerationMode);
         return;
     }
@@ -906 +942 @@
 
     bool targetIsExensible = target->isExtensible(exec);
+    RETURN_IF_EXCEPTION(scope, void());
 
     PropertyNameArray targetKeys(&vm, propertyNameMode);
@@ -1006 +1043 @@
 
     JSObject* target = this->target();
-    if (setPrototypeOfMethod.isUndefined())
+    if (setPrototypeOfMethod.isUndefined()) {
+        scope.release();
         return target->setPrototype(vm, exec, prototype, shouldThrowIfCantSet);
+    }
 
     MarkedArgumentBuffer arguments;
@@ -1050 +1089 @@
     if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
         throwStackOverflowError(exec, scope);
-        return JSValue();
+        return { };
     }
 
@@ -1056 +1095 @@
     if (handlerValue.isNull()) {
         throwVMTypeError(exec, scope, ASCIILiteral(s_proxyAlreadyRevokedErrorMessage));
-        return JSValue();
+        return { };
     }
 
@@ -1063 +1102 @@
     CallType callType;
     JSValue getPrototypeOfMethod = handler->getMethod(exec, callData, callType, makeIdentifier(vm, "getPrototypeOf"), ASCIILiteral("'getPrototypeOf' property of a Proxy's handler should be callable"));
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     JSObject* target = this->target();
-    if (getPrototypeOfMethod.isUndefined())
+    if (getPrototypeOfMethod.isUndefined()) {
+        scope.release();
         return target->getPrototype(vm, exec);
+    }
 
     MarkedArgumentBuffer arguments;
     arguments.append(target);
     JSValue trapResult = call(exec, getPrototypeOfMethod, callType, callData, handler, arguments);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     if (!trapResult.isObject() && !trapResult.isNull()) {
         throwVMTypeError(exec, scope, ASCIILiteral("Proxy handler's 'getPrototypeOf' trap should either return an object or null"));
-        return JSValue();
+        return { };
     }
 
     bool targetIsExtensible = target->isExtensible(exec);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
     if (targetIsExtensible)
         return trapResult;
 
     JSValue targetPrototype = target->getPrototype(vm, exec);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
     if (!sameValue(exec, targetPrototype, trapResult)) {
         throwVMTypeError(exec, scope, ASCIILiteral("Proxy's 'getPrototypeOf' trap for a non-extensible target should return the same value as the target's prototype"));
-        return JSValue();
+        return { };
     }