Changeset 209080 in webkit


Ignore:
Timestamp:
Nov 29, 2016 11:08:59 AM (7 years ago)
Author:
mark.lam@apple.com
Message:

Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165053

Reviewed by Saam Barati.

Also replaced returning JSValue() with returning { }.

  • runtime/ProxyConstructor.cpp:

(JSC::constructProxyObject):

  • runtime/ProxyObject.cpp:

(JSC::ProxyObject::structureForTarget):
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::getOwnPropertySlotCommon):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::putByIndexCommon):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r209062 r209080  
     12016-11-29  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp.
     4        https://bugs.webkit.org/show_bug.cgi?id=165053
     5
     6        Reviewed by Saam Barati.
     7
     8        Also replaced returning JSValue() with returning { }.
     9
     10        * runtime/ProxyConstructor.cpp:
     11        (JSC::constructProxyObject):
     12        * runtime/ProxyObject.cpp:
     13        (JSC::ProxyObject::structureForTarget):
     14        (JSC::performProxyGet):
     15        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
     16        (JSC::ProxyObject::performHasProperty):
     17        (JSC::ProxyObject::getOwnPropertySlotCommon):
     18        (JSC::ProxyObject::performPut):
     19        (JSC::ProxyObject::putByIndexCommon):
     20        (JSC::performProxyCall):
     21        (JSC::performProxyConstruct):
     22        (JSC::ProxyObject::performDelete):
     23        (JSC::ProxyObject::performPreventExtensions):
     24        (JSC::ProxyObject::performIsExtensible):
     25        (JSC::ProxyObject::performDefineOwnProperty):
     26        (JSC::ProxyObject::performGetOwnPropertyNames):
     27        (JSC::ProxyObject::performSetPrototype):
     28        (JSC::ProxyObject::performGetPrototype):
     29
    1302016-11-28  Matt Baker  <mattbaker@apple.com>
    231

  • trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp

    r206386 r209080  
    100100    JSValue target = args.at(0);
    101101    JSValue handler = args.at(1);
     102    scope.release();
    102103    return JSValue::encode(ProxyObject::create(exec, exec->lexicalGlobalObject(), target, handler));
    103104}

  • trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

    r206386 r209080  
    7575    JSObject* targetAsObject = jsCast<JSObject*>(target);
    7676    CallData ignoredCallData;
    77     bool isCallable = targetAsObject->methodTable()->getCallData(targetAsObject, ignoredCallData) != CallType::None;
     77    VM& vm = globalObject->vm();
     78    bool isCallable = targetAsObject->methodTable(vm)->getCallData(targetAsObject, ignoredCallData) != CallType::None;
    7879    return isCallable ? globalObject->callableProxyObjectStructure() : globalObject->proxyObjectStructure();
    7980}
     
    122123    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
    123124        throwStackOverflowError(exec, scope);
    124         return JSValue();
     125        return { };
    125126    }
    126127
     
    131132    };
    132133
    133     if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
     134    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
     135        scope.release();
    134136        return performDefaultGet();
     137    }
    135138
    136139    JSValue handlerValue = proxyObject->handler();
     
    142145    CallType callType;
    143146    JSValue getHandler = handler->getMethod(exec, callData, callType, vm.propertyNames->get, ASCIILiteral("'get' property of a Proxy's handler object should be callable"));
    144     RETURN_IF_EXCEPTION(scope, JSValue());
    145 
    146     if (getHandler.isUndefined())
     147    RETURN_IF_EXCEPTION(scope, { });
     148
     149    if (getHandler.isUndefined()) {
     150        scope.release();
    147151        return performDefaultGet();
     152    }
    148153
    149154    MarkedArgumentBuffer arguments;
     
    152157    arguments.append(receiver);
    153158    JSValue trapResult = call(exec, getHandler, callType, callData, handler, arguments);
    154     RETURN_IF_EXCEPTION(scope, JSValue());
     159    RETURN_IF_EXCEPTION(scope, { });
    155160
    156161    PropertyDescriptor descriptor;
     
    165170    }
    166171
    167     RETURN_IF_EXCEPTION(scope, JSValue());
     172    RETURN_IF_EXCEPTION(scope, { });
    168173
    169174    return trapResult;
     
    195200    };
    196201
    197     if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
     202    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
     203        scope.release();
    198204        return performDefaultGetOwnProperty();
     205    }
    199206
    200207    JSValue handlerValue = this->handler();
     
    209216    JSValue getOwnPropertyDescriptorMethod = handler->getMethod(exec, callData, callType, makeIdentifier(vm, "getOwnPropertyDescriptor"), ASCIILiteral("'getOwnPropertyDescriptor' property of a Proxy's handler should be callable"));
    210217    RETURN_IF_EXCEPTION(scope, false);
    211     if (getOwnPropertyDescriptorMethod.isUndefined())
     218    if (getOwnPropertyDescriptorMethod.isUndefined()) {
     219        scope.release();
    212220        return performDefaultGetOwnProperty();
     221    }
    213222
    214223    MarkedArgumentBuffer arguments;
     
    257266    bool valid = validateAndApplyPropertyDescriptor(exec, nullptr, propertyName, isExtensible,
    258267        trapResultAsDescriptor, isTargetPropertyDescriptorDefined, targetPropertyDescriptor, throwException);
     268    RETURN_IF_EXCEPTION(scope, false);
    259269    if (!valid) {
    260270        throwVMTypeError(exec, scope, ASCIILiteral("Result from 'getOwnPropertyDescriptor' fails the IsCompatiblePropertyDescriptor test"));
     
    296306    };
    297307
    298     if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
     308    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
     309        scope.release();
    299310        return performDefaultHasProperty();
     311    }
    300312
    301313    JSValue handlerValue = this->handler();
     
    310322    JSValue hasMethod = handler->getMethod(exec, callData, callType, vm.propertyNames->has, ASCIILiteral("'has' property of a Proxy's handler should be callable"));
    311323    RETURN_IF_EXCEPTION(scope, false);
    312     if (hasMethod.isUndefined())
     324    if (hasMethod.isUndefined()) {
     325        scope.release();
    313326        return performDefaultHasProperty();
     327    }
    314328
    315329    MarkedArgumentBuffer arguments;
     
    355369    switch (slot.internalMethodType()) {
    356370    case PropertySlot::InternalMethodType::Get:
     371        scope.release();
    357372        return performGet(exec, propertyName, slot);
    358373    case PropertySlot::InternalMethodType::GetOwnProperty:
     374        scope.release();
    359375        return performInternalMethodGetOwnProperty(exec, propertyName, slot);
    360376    case PropertySlot::InternalMethodType::HasProperty:
     377        scope.release();
    361378        return performHasProperty(exec, propertyName, slot);
    362379    default:
     
    391408    }
    392409
    393     if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
     410    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
     411        scope.release();
    394412        return performDefaultPut();
     413    }
    395414
    396415    JSValue handlerValue = this->handler();
     
    406425    RETURN_IF_EXCEPTION(scope, false);
    407426    JSObject* target = this->target();
    408     if (setMethod.isUndefined())
     427    if (setMethod.isUndefined()) {
     428        scope.release();
    409429        return performDefaultPut();
     430    }
    410431
    411432    MarkedArgumentBuffer arguments;
     
    461482        return target->methodTable(vm)->put(target, exec, ident.impl(), putValue, slot);
    462483    };
     484    scope.release();
    463485    return performPut(exec, putValue, thisValue, ident.impl(), performDefaultPut);
    464486}
     
    476498    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
    477499        throwStackOverflowError(exec, scope);
    478         return JSValue::encode(JSValue());
     500        return encodedJSValue();
    479501    }
    480502    ProxyObject* proxy = jsCast<ProxyObject*>(exec->callee());
     
    493515        CallType callType = target->methodTable(vm)->getCallData(target, callData);
    494516        RELEASE_ASSERT(callType != CallType::None);
     517        scope.release();
    495518        return JSValue::encode(call(exec, target, callType, callData, exec->thisValue(), ArgList(exec)));
    496519    }
     
    502525    arguments.append(exec->thisValue());
    503526    arguments.append(argArray);
     527    scope.release();
    504528    return JSValue::encode(call(exec, applyMethod, callType, callData, handler, arguments));
    505529}
     
    524548    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
    525549        throwStackOverflowError(exec, scope);
    526         return JSValue::encode(JSValue());
     550        return encodedJSValue();
    527551    }
    528552    ProxyObject* proxy = jsCast<ProxyObject*>(exec->callee());
     
    541565        ConstructType constructType = target->methodTable(vm)->getConstructData(target, constructData);
    542566        RELEASE_ASSERT(constructType != ConstructType::None);
     567        scope.release();
    543568        return JSValue::encode(construct(exec, target, constructType, constructData, ArgList(exec), exec->newTarget()));
    544569    }
     
    580605    }
    581606
    582     if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid())))
     607    if (vm.propertyNames->isPrivateName(Identifier::fromUid(&vm, propertyName.uid()))) {
     608        scope.release();
    583609        return performDefaultDelete();
     610    }
    584611
    585612    JSValue handlerValue = this->handler();
     
    595622    RETURN_IF_EXCEPTION(scope, false);
    596623    JSObject* target = this->target();
    597     if (deletePropertyMethod.isUndefined())
     624    if (deletePropertyMethod.isUndefined()) {
     625        scope.release();
    598626        return performDefaultDelete();
     627    }
    599628
    600629    MarkedArgumentBuffer arguments;
     
    665694    RETURN_IF_EXCEPTION(scope, false);
    666695    JSObject* target = this->target();
    667     if (preventExtensionsMethod.isUndefined())
     696    if (preventExtensionsMethod.isUndefined()) {
     697        scope.release();
    668698        return target->methodTable(vm)->preventExtensions(target, exec);
     699    }
    669700
    670701    MarkedArgumentBuffer arguments;
     
    715746
    716747    JSObject* target = this->target();
    717     if (isExtensibleMethod.isUndefined())
     748    if (isExtensibleMethod.isUndefined()) {
     749        scope.release();
    718750        return target->isExtensible(exec);
     751    }
    719752
    720753    MarkedArgumentBuffer arguments;
     
    759792    JSObject* target = this->target();
    760793    auto performDefaultDefineOwnProperty = [&] {
     794        scope.release();
    761795        return target->methodTable(vm)->defineOwnProperty(target, exec, propertyName, descriptor, shouldThrow);
    762796    };
     
    822856    bool throwException = false;
    823857    bool isCompatibleDescriptor = validateAndApplyPropertyDescriptor(exec, nullptr, propertyName, targetIsExtensible, descriptor, isCurrentDefined, current, throwException);
     858    RETURN_IF_EXCEPTION(scope, false);   
    824859    if (!isCompatibleDescriptor) {
    825860        throwVMTypeError(exec, scope, ASCIILiteral("Proxy's 'defineProperty' trap did not define a property on its target that is compatible with the trap's input descriptor"));
     
    861896    JSObject* target = this->target();
    862897    if (ownKeysMethod.isUndefined()) {
    863         target->methodTable(exec->vm())->getOwnPropertyNames(target, exec, trapResult, enumerationMode);
     898        scope.release();
     899        target->methodTable(vm)->getOwnPropertyNames(target, exec, trapResult, enumerationMode);
    864900        return;
    865901    }
     
    906942
    907943    bool targetIsExensible = target->isExtensible(exec);
     944    RETURN_IF_EXCEPTION(scope, void());
    908945
    909946    PropertyNameArray targetKeys(&vm, propertyNameMode);
     
    10061043
    10071044    JSObject* target = this->target();
    1008     if (setPrototypeOfMethod.isUndefined())
     1045    if (setPrototypeOfMethod.isUndefined()) {
     1046        scope.release();
    10091047        return target->setPrototype(vm, exec, prototype, shouldThrowIfCantSet);
     1048    }
    10101049
    10111050    MarkedArgumentBuffer arguments;
     
    10501089    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
    10511090        throwStackOverflowError(exec, scope);
    1052         return JSValue();
     1091        return { };
    10531092    }
    10541093
     
    10561095    if (handlerValue.isNull()) {
    10571096        throwVMTypeError(exec, scope, ASCIILiteral(s_proxyAlreadyRevokedErrorMessage));
    1058         return JSValue();
     1097        return { };
    10591098    }
    10601099
     
    10631102    CallType callType;
    10641103    JSValue getPrototypeOfMethod = handler->getMethod(exec, callData, callType, makeIdentifier(vm, "getPrototypeOf"), ASCIILiteral("'getPrototypeOf' property of a Proxy's handler should be callable"));
    1065     RETURN_IF_EXCEPTION(scope, JSValue());
     1104    RETURN_IF_EXCEPTION(scope, { });
    10661105
    10671106    JSObject* target = this->target();
    1068     if (getPrototypeOfMethod.isUndefined())
     1107    if (getPrototypeOfMethod.isUndefined()) {
     1108        scope.release();
    10691109        return target->getPrototype(vm, exec);
     1110    }
    10701111
    10711112    MarkedArgumentBuffer arguments;
    10721113    arguments.append(target);
    10731114    JSValue trapResult = call(exec, getPrototypeOfMethod, callType, callData, handler, arguments);
    1074     RETURN_IF_EXCEPTION(scope, JSValue());
     1115    RETURN_IF_EXCEPTION(scope, { });
    10751116
    10761117    if (!trapResult.isObject() && !trapResult.isNull()) {
    10771118        throwVMTypeError(exec, scope, ASCIILiteral("Proxy handler's 'getPrototypeOf' trap should either return an object or null"));
    1078         return JSValue();
     1119        return { };
    10791120    }
    10801121
    10811122    bool targetIsExtensible = target->isExtensible(exec);
    1082     RETURN_IF_EXCEPTION(scope, JSValue());
     1123    RETURN_IF_EXCEPTION(scope, { });
    10831124    if (targetIsExtensible)
    10841125        return trapResult;
    10851126
    10861127    JSValue targetPrototype = target->getPrototype(vm, exec);
    1087     RETURN_IF_EXCEPTION(scope, JSValue());
     1128    RETURN_IF_EXCEPTION(scope, { });
    10881129    if (!sameValue(exec, targetPrototype, trapResult)) {
    10891130        throwVMTypeError(exec, scope, ASCIILiteral("Proxy's 'getPrototypeOf' trap for a non-extensible target should return the same value as the target's prototype"));
    1090         return JSValue();
     1131        return { };
    10911132    }
    10921133
Note: See TracChangeset for help on using the changeset viewer.