Changeset 209101 in webkit

Timestamp:

Nov 29, 2016, 4:06:50 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

Fix exception scope verification failures in runtime/RegExp* files.
​https://bugs.webkit.org/show_bug.cgi?id=165054

Reviewed by Saam Barati.

Also replaced returning JSValue() with returning { }.

• runtime/RegExpConstructor.cpp:

(JSC::toFlags):
(JSC::regExpCreate):
(JSC::constructRegExp):

• runtime/RegExpObject.cpp:

(JSC::RegExpObject::defineOwnProperty):
(JSC::collectMatches):
(JSC::RegExpObject::matchGlobal):

• runtime/RegExpObjectInlines.h:

(JSC::getRegExpObjectLastIndexAsUnsigned):
(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):

• runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncCompile):
(JSC::flagsString):
(JSC::regExpProtoFuncToString):
(JSC::regExpProtoFuncSplitFast):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/RegExpConstructor.cpp (modified) (5 diffs)
• runtime/RegExpObject.cpp (modified) (7 diffs)
• runtime/RegExpObjectInlines.h (modified) (9 diffs)
• runtime/RegExpPrototype.cpp (modified) (9 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-11-29  Mark Lam  <mark.lam@apple.com>
+
+        Fix exception scope verification failures in runtime/RegExp* files.
+        https://bugs.webkit.org/show_bug.cgi?id=165054
+
+        Reviewed by Saam Barati.
+
+        Also replaced returning JSValue() with returning { }.
+
+        * runtime/RegExpConstructor.cpp:
+        (JSC::toFlags):
+        (JSC::regExpCreate):
+        (JSC::constructRegExp):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::defineOwnProperty):
+        (JSC::collectMatches):
+        (JSC::RegExpObject::matchGlobal):
+        * runtime/RegExpObjectInlines.h:
+        (JSC::getRegExpObjectLastIndexAsUnsigned):
+        (JSC::RegExpObject::execInline):
+        (JSC::RegExpObject::matchInline):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncCompile):
+        (JSC::flagsString):
+        (JSC::regExpProtoFuncToString):
+        (JSC::regExpProtoFuncSplitFast):
+
 2016-11-29  Andy Estes  <aestes@apple.com>
 

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

@@ -215 +215 @@
     if (flags.isUndefined())
         return NoFlags;
-    JSString* flagsString = flags.toString(exec);
-    ASSERT(scope.exception() || flagsString);
-    if (!flagsString) {
+    JSString* flagsString = flags.toStringOrNull(exec);
+    ASSERT(!!scope.exception() == !flagsString);
+    if (UNLIKELY(!flagsString))
         return InvalidFlags;
-    }
 
     RegExpFlags result = regExpFlags(flagsString->value(exec));
@@ -237 +236 @@
 
     RegExpFlags flags = toFlags(exec, flagsArg);
-    if (flags == InvalidFlags)
+    ASSERT(!!scope.exception() == (flags == InvalidFlags));
+    if (UNLIKELY(flags == InvalidFlags))
         return nullptr;
 
@@ -258 +258 @@
     bool isPatternRegExp = patternArg.inherits(RegExpObject::info());
     bool constructAsRegexp = isRegExp(vm, exec, patternArg);
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     if (newTarget.isUndefined() && constructAsRegexp && flagsArg.isUndefined()) {
@@ -275 +276 @@
         if (!flagsArg.isUndefined()) {
             RegExpFlags flags = toFlags(exec, flagsArg);
+            ASSERT(!!scope.exception() == (flags == InvalidFlags));
             if (flags == InvalidFlags)
                 return nullptr;
@@ -280 +282 @@
         }
 
-        return RegExpObject::create(exec->vm(), structure, regExp);
+        return RegExpObject::create(vm, structure, regExp);
     }
 
     if (constructAsRegexp) {
         JSValue pattern = patternArg.get(exec, vm.propertyNames->source);
-        if (flagsArg.isUndefined())
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        if (flagsArg.isUndefined()) {
             flagsArg = patternArg.get(exec, vm.propertyNames->flags);
+            RETURN_IF_EXCEPTION(scope, nullptr);
+        }
         patternArg = pattern;
     }
 
+    scope.release();
     return regExpCreate(exec, globalObject, newTarget, patternArg, flagsArg);
 }

trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp

@@ -120 +120 @@
             return true;
         }
-        if (descriptor.value())
+        if (descriptor.value()) {
             regExp->setLastIndex(exec, descriptor.value(), false);
+            RETURN_IF_EXCEPTION(scope, false);
+        }
         if (descriptor.writablePresent() && !descriptor.writable())
             regExp->m_lastIndexIsWritable = false;
@@ -127 +129 @@
     }
 
+    scope.release();
     return Base::defineOwnProperty(object, exec, propertyName, descriptor, shouldThrow);
 }
@@ -180 +183 @@
     
     JSArray* array = constructEmptyArray(exec, nullptr);
-    RETURN_IF_EXCEPTION(scope, JSValue());
-
+    RETURN_IF_EXCEPTION(scope, { });
+
+    bool hasException = false;
     auto iterate = [&] () {
         size_t end = result.end;
         size_t length = end - result.start;
         array->push(exec, JSRopeString::createSubstringOfResolved(vm, string, result.start, length));
+        if (UNLIKELY(scope.exception())) {
+            hasException = true;
+            return;
+        }
         if (!length)
             end = fixEnd(end);
@@ -217 +225 @@
             // OK, we have a sensible number of matches. Now we can create them for reals.
             result = savedResult;
-            do
+            do {
                 iterate();
-            while (result);
+                ASSERT(!!scope.exception() == hasException);
+                if (UNLIKELY(hasException))
+                    return { };
+            } while (result);
             
             return array;
@@ -239 +250 @@
 
     setLastIndex(exec, 0);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     String s = string->value(exec);
@@ -246 +257 @@
     if (regExp->unicode()) {
         unsigned stringLength = s.length();
+        scope.release();
         return collectMatches(
             vm, exec, string, s, regExpConstructor, regExp,
@@ -252 +264 @@
             });
     }
-    
+
+    scope.release();
     return collectMatches(
         vm, exec, string, s, regExpConstructor, regExp,

trunk/Source/JavaScriptCore/runtime/RegExpObjectInlines.h

@@ -37 +37 @@
     ExecState* exec, RegExpObject* regExpObject, const String& input)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue jsLastIndex = regExpObject->getLastIndex();
     unsigned lastIndex;
@@ -42 +44 @@
         lastIndex = jsLastIndex.asUInt32();
         if (lastIndex > input.length()) {
+            scope.release();
             regExpObject->setLastIndex(exec, 0);
             return UINT_MAX;
@@ -47 +50 @@
     } else {
         double doubleLastIndex = jsLastIndex.toInteger(exec);
+        RETURN_IF_EXCEPTION(scope, UINT_MAX);
         if (doubleLastIndex < 0 || doubleLastIndex > input.length()) {
+            scope.release();
             regExpObject->setLastIndex(exec, 0);
             return UINT_MAX;
@@ -64 +69 @@
     RegExpConstructor* regExpConstructor = globalObject->regExpConstructor();
     String input = string->value(exec);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     bool globalOrSticky = regExp->globalOrSticky();
@@ -71 +76 @@
     if (globalOrSticky) {
         lastIndex = getRegExpObjectLastIndexAsUnsigned(exec, this, input);
+        ASSERT(!scope.exception() || lastIndex == UINT_MAX);
         if (lastIndex == UINT_MAX)
             return jsNull();
@@ -80 +86 @@
         createRegExpMatchesArray(vm, globalObject, string, input, regExp, lastIndex, result);
     if (!array) {
+        scope.release();
         if (globalOrSticky)
             setLastIndex(exec, 0);
@@ -87 +94 @@
     if (globalOrSticky)
         setLastIndex(exec, result.end);
+    RETURN_IF_EXCEPTION(scope, { });
     regExpConstructor->recordMatch(vm, regExp, string, result);
     return array;
@@ -101 +109 @@
     RegExpConstructor* regExpConstructor = globalObject->regExpConstructor();
     String input = string->value(exec);
-    RETURN_IF_EXCEPTION(scope, MatchResult());
+    RETURN_IF_EXCEPTION(scope, { });
 
     if (!regExp->global() && !regExp->sticky())
@@ -107 +115 @@
 
     unsigned lastIndex = getRegExpObjectLastIndexAsUnsigned(exec, this, input);
+    ASSERT(!scope.exception() || (lastIndex == UINT_MAX));
     if (lastIndex == UINT_MAX)
         return MatchResult::failed();
     
     MatchResult result = regExpConstructor->performMatch(vm, regExp, string, input, lastIndex);
+    scope.release();
     setLastIndex(exec, result.end);
     return result;

trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp

@@ -184 +184 @@
 
     asRegExpObject(thisValue)->setRegExp(vm, regExp);
+    scope.release();
     asRegExpObject(thisValue)->setLastIndex(exec, 0);
     return JSValue::encode(thisValue);
@@ -198 +199 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    JSValue globalValue = regexp->get(exec, exec->propertyNames().global);
+    JSValue globalValue = regexp->get(exec, vm.propertyNames->global);
     RETURN_IF_EXCEPTION(scope, string);
-    JSValue ignoreCaseValue = regexp->get(exec, exec->propertyNames().ignoreCase);
+    JSValue ignoreCaseValue = regexp->get(exec, vm.propertyNames->ignoreCase);
     RETURN_IF_EXCEPTION(scope, string);
-    JSValue multilineValue = regexp->get(exec, exec->propertyNames().multiline);
+    JSValue multilineValue = regexp->get(exec, vm.propertyNames->multiline);
     RETURN_IF_EXCEPTION(scope, string);
-    JSValue unicodeValue = regexp->get(exec, exec->propertyNames().unicode);
+    JSValue unicodeValue = regexp->get(exec, vm.propertyNames->unicode);
     RETURN_IF_EXCEPTION(scope, string);
-    JSValue stickyValue = regexp->get(exec, exec->propertyNames().sticky);
+    JSValue stickyValue = regexp->get(exec, vm.propertyNames->sticky);
     RETURN_IF_EXCEPTION(scope, string);
 
@@ -237 +238 @@
 
     StringRecursionChecker checker(exec, thisObject);
+    ASSERT(!scope.exception() || checker.earlyReturnValue());
     if (JSValue earlyReturnValue = checker.earlyReturnValue())
         return JSValue::encode(earlyReturnValue);
@@ -622 +624 @@
         // c. Perform ! CreateDataProperty(A, "0", S).
         // d. Return A.
-        if (!regexp->match(vm, input, 0))
+        if (!regexp->match(vm, input, 0)) {
             result->putDirectIndex(exec, 0, inputString);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        }
         return JSValue::encode(result);
     }
@@ -644 +648 @@
         [&] (bool isDefined, unsigned start, unsigned length) -> SplitControl {
             result->putDirectIndex(exec, resultLength++, isDefined ? JSRopeString::createSubstringOfResolved(vm, inputString, start, length) : jsUndefined());
+            RETURN_IF_EXCEPTION(scope, AbortSplit);
             if (resultLength >= limit)
                 return AbortSplit;
             return ContinueSplit;
         });
-    
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
     if (resultLength >= limit)
         return JSValue::encode(result);
@@ -654 +660 @@
         // 20. Let T be a String value equal to the substring of S consisting of the elements at indices p (inclusive) through size (exclusive).
         // 21. Perform ! CreateDataProperty(A, ! ToString(lengthA), T).
+        scope.release();
         result->putDirectIndex(exec, resultLength, JSRopeString::createSubstringOfResolved(vm, inputString, position, inputSize - position));
         
@@ -680 +687 @@
     if (resultLength + dryRunCount >= MAX_STORAGE_VECTOR_LENGTH) {
         throwOutOfMemoryError(exec, scope);
-        return JSValue::encode(jsUndefined());
+        return encodedJSValue();
     }
     
@@ -694 +701 @@
         [&] (bool isDefined, unsigned start, unsigned length) -> SplitControl {
             result->putDirectIndex(exec, resultLength++, isDefined ? JSRopeString::createSubstringOfResolved(vm, inputString, start, length) : jsUndefined());
+            RETURN_IF_EXCEPTION(scope, AbortSplit);
             if (resultLength >= limit)
                 return AbortSplit;
             return ContinueSplit;
         });
-    
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
     if (resultLength >= limit)
         return JSValue::encode(result);
@@ -704 +713 @@
     // 20. Let T be a String value equal to the substring of S consisting of the elements at indices p (inclusive) through size (exclusive).
     // 21. Perform ! CreateDataProperty(A, ! ToString(lengthA), T).
+    scope.release();
     result->putDirectIndex(exec, resultLength, JSRopeString::createSubstringOfResolved(vm, inputString, position, inputSize - position));
     // 22. Return A.