Changeset 221849 in webkit

Timestamp:

Sep 10, 2017 11:23:39 PM (7 years ago)

Author:

mark.lam@apple.com

Message:

Fix all ExceptionScope verification failures in JavaScriptCore.
​https://bugs.webkit.org/show_bug.cgi?id=176662
<rdar://problem/34352085>

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope verification for release builds too (though this requires manually setting ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).

This is useful because it allows us to run the tests more quickly to check
if any regressions have occurred. Debug builds run so much slower and not
good for a quick turn around. Debug builds are necessary though to get
trace information without inlining by the C++ compiler. This is necessary to
diagnose where the missing exception check is.

2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last simulated throw when an exception scope verification fails.

Previously, this option dumps the stack trace on all simulated throws. That
turned out to not be very useful, and slows down the debugging process.
Instead, the new implementation captures the stack trace and only dumps it
if we have a verification failure.

3. Fixed missing exception checks and book-keeping needed to allow the JSC tests to pass with JSC_validateExceptionChecks=true.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• dfg/DFGOSRExit.cpp:

(JSC::DFG::OSRExit::executeOSRExit):

• dfg/DFGOperations.cpp:
• interpreter/Interpreter.cpp:

(JSC::eval):
(JSC::loadVarargs):
(JSC::Interpreter::unwind):
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):

• jit/JITOperations.cpp:

(JSC::getByVal):

• jsc.cpp:

(WTF::CustomGetter::customGetterAcessor):
(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderResolve):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::getByVal):
(JSC::LLInt::setUpCall):

• parser/Parser.h:

(JSC::Parser::popScopeInternal):

• runtime/AbstractModuleRecord.cpp:

(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::resolveExportImpl):
(JSC::getExportedNames):
(JSC::AbstractModuleRecord::getModuleNamespace):

• runtime/ArrayPrototype.cpp:

(JSC::getProperty):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
(JSC::arrayProtoPrivateFuncAppendMemcpy):

• runtime/CatchScope.h:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/DatePrototype.cpp:

(JSC::dateProtoFuncSetTime):
(JSC::setNewValueFromTimeArgs):

• runtime/DirectArguments.h:

(JSC::DirectArguments::length const):

• runtime/ErrorPrototype.cpp:

(JSC::errorProtoFuncToString):

• runtime/ExceptionFuzz.cpp:

(JSC::doExceptionFuzzing):

• runtime/ExceptionScope.h:

(JSC::ExceptionScope::needExceptionCheck):
(JSC::ExceptionScope::assertNoException):

• runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::defineOwnProperty):

• runtime/HashMapImpl.h:

(JSC::HashMapImpl::rehash):

• runtime/IntlDateTimeFormat.cpp:

(JSC::IntlDateTimeFormat::formatToParts):

• runtime/JSArray.cpp:

(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::put):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):

• runtime/JSCJSValueInlines.h:

(JSC::JSValue::toIndex const):
(JSC::JSValue::get const):
(JSC::JSValue::getPropertySlot const):
(JSC::JSValue::equalSlowCaseInline):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::set):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::put):

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::decode):
(JSC::globalFuncEval):
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
(JSC::globalFuncImportModule):

• runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

• runtime/JSInternalPromiseDeferred.cpp:

(JSC::JSInternalPromiseDeferred::create):

• runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

• runtime/JSModuleEnvironment.cpp:

(JSC::JSModuleEnvironment::getOwnPropertySlot):
(JSC::JSModuleEnvironment::put):
(JSC::JSModuleEnvironment::deleteProperty):

• runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provide):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

• runtime/JSModuleRecord.cpp:

(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):

• runtime/JSONObject.cpp:

(JSC::Stringifier::stringify):
(JSC::Stringifier::toJSON):
(JSC::JSONProtoFuncParse):

• runtime/JSObject.cpp:

(JSC::JSObject::calculatedClassName):
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::ordinaryToPrimitive const):
(JSC::JSObject::toPrimitive const):
(JSC::JSObject::hasInstance):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::toNumber const):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::validateAndApplyPropertyDescriptor):
(JSC::JSObject::defineOwnNonIndexProperty):
(JSC::JSObject::getGenericPropertyNames):

• runtime/JSObject.h:

(JSC::JSObject::get const):

• runtime/JSObjectInlines.h:

(JSC::JSObject::getPropertySlot const):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
(JSC::JSObject::putInlineForJSObject):

• runtime/JSPromiseConstructor.cpp:

(JSC::constructPromise):

• runtime/JSPromiseDeferred.cpp:

(JSC::JSPromiseDeferred::create):

• runtime/JSScope.cpp:

(JSC::abstractAccess):
(JSC::JSScope::resolve):
(JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
(JSC::JSScope::abstractResolve):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::tryJSONPParse):
(JSC::LiteralParser<CharType>::parse):

• runtime/Lookup.h:

(JSC::putEntry):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/NumberPrototype.cpp:

(JSC::numberProtoFuncToString):

• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorGetOwnPropertyDescriptors):
(JSC::objectConstructorAssign):
(JSC::objectConstructorValues):
(JSC::toPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
(JSC::defineProperties):
(JSC::objectConstructorDefineProperties):
(JSC::ownPropertyKeys):

• runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString):

• runtime/Options.h:
• runtime/ParseInt.h:

(JSC::toStringView):

• runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performPut):

• runtime/ReflectObject.cpp:

(JSC::reflectObjectDefineProperty):

• runtime/RegExpConstructor.cpp:

(JSC::toFlags):
(JSC::regExpCreate):
(JSC::constructRegExp):

• runtime/RegExpObject.cpp:

(JSC::collectMatches):

• runtime/RegExpObjectInlines.h:

(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):

• runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncTestFast):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncMatchFast):
(JSC::regExpProtoFuncToString):
(JSC::regExpProtoFuncSplitFast):

• runtime/ScriptExecutable.cpp:

(JSC::ScriptExecutable::newCodeBlockFor):
(JSC::ScriptExecutable::prepareForExecutionImpl):

• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/ThrowScope.cpp:

(JSC::ThrowScope::simulateThrow):

• runtime/VM.cpp:

(JSC::VM::verifyExceptionCheckNeedIsSatisfied):

• runtime/VM.h:
• runtime/WeakMapPrototype.cpp:

(JSC::protoFuncWeakMapSet):

• runtime/WeakSetPrototype.cpp:

(JSC::protoFuncWeakSetAdd):

• wasm/js/WebAssemblyModuleConstructor.cpp:

(JSC::WebAssemblyModuleConstructor::createModule):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):

• wasm/js/WebAssemblyPrototype.cpp:

(JSC::reject):
(JSC::webAssemblyCompileFunc):
(JSC::resolve):
(JSC::webAssemblyInstantiateFunc):

Source/WebCore:

No new tests because this is covered by existing tests with the JSC_validateExceptionChecks=true enabled.

• bindings/js/JSCustomElementInterface.cpp:

(WebCore::JSCustomElementInterface::tryToConstructCustomElement):

• bindings/js/JSCustomElementRegistryCustom.cpp:

(WebCore::whenDefinedPromise):

• bindings/js/JSDOMConvertRecord.h:
• bindings/js/JSDOMMapLike.cpp:

(WebCore::createBackingMap):

• bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::DeferredPromise::reject):

• bindings/js/JSDOMPromiseDeferred.h:

(WebCore::callPromiseFunction):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/bytecode/CodeBlock.cpp (modified) (4 diffs)
• JavaScriptCore/dfg/DFGOSRExit.cpp (modified) (1 diff)
• JavaScriptCore/dfg/DFGOperations.cpp (modified) (5 diffs)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (16 diffs)
• JavaScriptCore/jit/JITOperations.cpp (modified) (26 diffs)
• JavaScriptCore/jsc.cpp (modified) (5 diffs)
• JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• JavaScriptCore/parser/Parser.h (modified) (1 diff)
• JavaScriptCore/runtime/AbstractModuleRecord.cpp (modified) (14 diffs)
• JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (23 diffs)
• JavaScriptCore/runtime/CatchScope.h (modified) (1 diff)
• JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/DatePrototype.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/DirectArguments.h (modified) (1 diff)
• JavaScriptCore/runtime/ErrorPrototype.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ExceptionFuzz.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ExceptionScope.h (modified) (4 diffs)
• JavaScriptCore/runtime/GenericArgumentsInlines.h (modified) (1 diff)
• JavaScriptCore/runtime/HashMapImpl.h (modified) (1 diff)
• JavaScriptCore/runtime/IntlDateTimeFormat.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSArray.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSCJSValue.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSCJSValueInlines.h (modified) (9 diffs)
• JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (8 diffs)
• JavaScriptCore/runtime/JSInternalPromise.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSJob.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSModuleEnvironment.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSModuleLoader.cpp (modified) (10 diffs)
• JavaScriptCore/runtime/JSModuleRecord.cpp (modified) (6 diffs)
• JavaScriptCore/runtime/JSONObject.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/JSObject.cpp (modified) (29 diffs)
• JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSObjectInlines.h (modified) (4 diffs)
• JavaScriptCore/runtime/JSPromiseConstructor.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSPromiseDeferred.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSScope.cpp (modified) (8 diffs)
• JavaScriptCore/runtime/LiteralParser.cpp (modified) (6 diffs)
• JavaScriptCore/runtime/Lookup.h (modified) (1 diff)
• JavaScriptCore/runtime/MapConstructor.cpp (modified) (1 diff)
• JavaScriptCore/runtime/NumberPrototype.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (18 diffs)
• JavaScriptCore/runtime/ObjectPrototype.cpp (modified) (6 diffs)
• JavaScriptCore/runtime/Options.h (modified) (1 diff)
• JavaScriptCore/runtime/ParseInt.h (modified) (1 diff)
• JavaScriptCore/runtime/ProxyObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ReflectObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/RegExpConstructor.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/RegExpObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/RegExpObjectInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/RegExpPrototype.cpp (modified) (5 diffs)
• JavaScriptCore/runtime/ScriptExecutable.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/SetConstructor.cpp (modified) (1 diff)
• JavaScriptCore/runtime/ThrowScope.cpp (modified) (1 diff)
• JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• JavaScriptCore/runtime/VM.h (modified) (1 diff)
• JavaScriptCore/runtime/WeakMapPrototype.cpp (modified) (1 diff)
• JavaScriptCore/runtime/WeakSetPrototype.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp (modified) (7 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSCustomElementInterface.cpp (modified) (1 diff)
• WebCore/bindings/js/JSCustomElementRegistryCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMConvertRecord.h (modified) (2 diffs)
• WebCore/bindings/js/JSDOMMapLike.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMPromiseDeferred.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSDOMPromiseDeferred.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-09-10  Mark Lam  <mark.lam@apple.com>
+
+        Fix all ExceptionScope verification failures in JavaScriptCore.
+        https://bugs.webkit.org/show_bug.cgi?id=176662
+        <rdar://problem/34352085>
+
+        Reviewed by Filip Pizlo.
+
+        1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
+           verification for release builds too (though this requires manually setting
+           ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
+
+           This is useful because it allows us to run the tests more quickly to check
+           if any regressions have occurred.  Debug builds run so much slower and not
+           good for a quick turn around.  Debug builds are necessary though to get
+           trace information without inlining by the C++ compiler.  This is necessary to
+           diagnose where the missing exception check is.
+
+        2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
+           simulated throw when an exception scope verification fails.
+
+           Previously, this option dumps the stack trace on all simulated throws.  That
+           turned out to not be very useful, and slows down the debugging process.
+           Instead, the new implementation captures the stack trace and only dumps it
+           if we have a verification failure.
+
+        3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
+           to pass with JSC_validateExceptionChecks=true.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        * dfg/DFGOperations.cpp:
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+        (JSC::loadVarargs):
+        (JSC::Interpreter::unwind):
+        (JSC::Interpreter::executeProgram):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::prepareForRepeatCall):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeModuleProgram):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * jsc.cpp:
+        (WTF::CustomGetter::customGetterAcessor):
+        (GlobalObject::moduleLoaderImportModule):
+        (GlobalObject::moduleLoaderResolve):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::getByVal):
+        (JSC::LLInt::setUpCall):
+        * parser/Parser.h:
+        (JSC::Parser::popScopeInternal):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::hostResolveImportedModule):
+        (JSC::AbstractModuleRecord::resolveImport):
+        (JSC::AbstractModuleRecord::resolveExportImpl):
+        (JSC::getExportedNames):
+        (JSC::AbstractModuleRecord::getModuleNamespace):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::getProperty):
+        (JSC::unshift):
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncToLocaleString):
+        (JSC::arrayProtoFuncJoin):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+        (JSC::concatAppendOne):
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        (JSC::arrayProtoPrivateFuncAppendMemcpy):
+        * runtime/CatchScope.h:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/DatePrototype.cpp:
+        (JSC::dateProtoFuncSetTime):
+        (JSC::setNewValueFromTimeArgs):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::length const):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::errorProtoFuncToString):
+        * runtime/ExceptionFuzz.cpp:
+        (JSC::doExceptionFuzzing):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::needExceptionCheck):
+        (JSC::ExceptionScope::assertNoException):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments<Type>::defineOwnProperty):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::rehash):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::formatToParts):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::defineOwnProperty):
+        (JSC::JSArray::put):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        (JSC::JSValue::putToPrimitiveByIndex):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toIndex const):
+        (JSC::JSValue::get const):
+        (JSC::JSValue::getPropertySlot const):
+        (JSC::JSValue::equalSlowCaseInline):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewFromIterator):
+        (JSC::constructGenericTypedArrayViewWithArguments):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::set):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::put):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::decode):
+        (JSC::globalFuncEval):
+        (JSC::globalFuncProtoGetter):
+        (JSC::globalFuncProtoSetter):
+        (JSC::globalFuncImportModule):
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+        * runtime/JSInternalPromiseDeferred.cpp:
+        (JSC::JSInternalPromiseDeferred::create):
+        * runtime/JSJob.cpp:
+        (JSC::JSJobMicrotask::run):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::getOwnPropertySlot):
+        (JSC::JSModuleEnvironment::put):
+        (JSC::JSModuleEnvironment::deleteProperty):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::provide):
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::linkAndEvaluateModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::link):
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::stringify):
+        (JSC::Stringifier::toJSON):
+        (JSC::JSONProtoFuncParse):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+        (JSC::ordinarySetSlow):
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::ordinaryToPrimitive const):
+        (JSC::JSObject::toPrimitive const):
+        (JSC::JSObject::hasInstance):
+        (JSC::JSObject::getPropertyNames):
+        (JSC::JSObject::toNumber const):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::validateAndApplyPropertyDescriptor):
+        (JSC::JSObject::defineOwnNonIndexProperty):
+        (JSC::JSObject::getGenericPropertyNames):
+        * runtime/JSObject.h:
+        (JSC::JSObject::get const):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::getPropertySlot const):
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::getNonIndexPropertySlot):
+        (JSC::JSObject::putInlineForJSObject):
+        * runtime/JSPromiseConstructor.cpp:
+        (JSC::constructPromise):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::JSPromiseDeferred::create):
+        * runtime/JSScope.cpp:
+        (JSC::abstractAccess):
+        (JSC::JSScope::resolve):
+        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
+        (JSC::JSScope::abstractResolve):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser<CharType>::tryJSONPParse):
+        (JSC::LiteralParser<CharType>::parse):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToString):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorSetPrototypeOf):
+        (JSC::objectConstructorGetOwnPropertyDescriptor):
+        (JSC::objectConstructorGetOwnPropertyDescriptors):
+        (JSC::objectConstructorAssign):
+        (JSC::objectConstructorValues):
+        (JSC::toPropertyDescriptor):
+        (JSC::objectConstructorDefineProperty):
+        (JSC::defineProperties):
+        (JSC::objectConstructorDefineProperties):
+        (JSC::ownPropertyKeys):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncHasOwnProperty):
+        (JSC::objectProtoFuncIsPrototypeOf):
+        (JSC::objectProtoFuncLookupGetter):
+        (JSC::objectProtoFuncLookupSetter):
+        (JSC::objectProtoFuncToLocaleString):
+        (JSC::objectProtoFuncToString):
+        * runtime/Options.h:
+        * runtime/ParseInt.h:
+        (JSC::toStringView):
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performPut):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectDefineProperty):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::toFlags):
+        (JSC::regExpCreate):
+        (JSC::constructRegExp):
+        * runtime/RegExpObject.cpp:
+        (JSC::collectMatches):
+        * runtime/RegExpObjectInlines.h:
+        (JSC::RegExpObject::execInline):
+        (JSC::RegExpObject::matchInline):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncTestFast):
+        (JSC::regExpProtoFuncExec):
+        (JSC::regExpProtoFuncMatchFast):
+        (JSC::regExpProtoFuncToString):
+        (JSC::regExpProtoFuncSplitFast):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::newCodeBlockFor):
+        (JSC::ScriptExecutable::prepareForExecutionImpl):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/ThrowScope.cpp:
+        (JSC::ThrowScope::simulateThrow):
+        * runtime/VM.cpp:
+        (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
+        * runtime/VM.h:
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::protoFuncWeakMapSet):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::protoFuncWeakSetAdd):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::reject):
+        (JSC::webAssemblyCompileFunc):
+        (JSC::resolve):
+        (JSC::webAssemblyInstantiateFunc):
+
 2017-09-08  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -624 +624 @@
 
             ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), localScopeDepth, scope, ident, Get, type, InitializationMode::NotInitialization);
+            RETURN_IF_EXCEPTION(throwScope, false);
+
             instructions[i + 4].u.operand = op.type;
             instructions[i + 5].u.operand = op.depth;
@@ -658 +660 @@
             const Identifier& ident = identifier(pc[3].u.operand);
             ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), localScopeDepth, scope, ident, Get, getPutInfo.resolveType(), InitializationMode::NotInitialization);
+            RETURN_IF_EXCEPTION(throwScope, false);
 
             instructions[i + 4].u.operand = GetPutInfo(getPutInfo.resolveMode(), op.type, getPutInfo.initializationMode()).operand();
@@ -693 +696 @@
             instructions[i + 5].u.pointer = nullptr;
             ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), localScopeDepth, scope, ident, Put, getPutInfo.resolveType(), getPutInfo.initializationMode());
+            RETURN_IF_EXCEPTION(throwScope, false);
 
             instructions[i + 4].u.operand = GetPutInfo(getPutInfo.resolveMode(), op.type, getPutInfo.initializationMode()).operand();
@@ -727 +731 @@
                 // we're abstractly "read"ing from a JSScope.
                 ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), localScopeDepth, scope, ident, Get, type, InitializationMode::NotInitialization);
+                RETURN_IF_EXCEPTION(throwScope, false);
 
                 if (op.type == ClosureVar || op.type == ModuleVar)

trunk/Source/JavaScriptCore/dfg/DFGOSRExit.cpp

@@ -345 +345 @@
 
     ASSERT(!vm.callFrameForCatch || exit.m_kind == GenericUnwind);
-    ASSERT_UNUSED(scope, !exit.isExceptionHandler() || !!scope.exception());
+    EXCEPTION_ASSERT_UNUSED(scope, !!scope.exception() || !exit.isExceptionHandler());
 
     if (UNLIKELY(!exit.exitState)) {

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -916 +916 @@
 
     JSString* input = argument.toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !input);
+    EXCEPTION_ASSERT(!!scope.exception() == !input);
     if (!input)
         return encodedJSValue();
@@ -938 +938 @@
 
     JSString* input = argument.toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !input);
+    EXCEPTION_ASSERT(!!scope.exception() == !input);
     if (!input)
         return JSValue::encode(jsUndefined());
@@ -1033 +1033 @@
 
     JSString* input = argument.toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !input);
+    EXCEPTION_ASSERT(!!scope.exception() == !input);
     if (!input)
         return false;
@@ -2194 +2194 @@
             for (unsigned i = 0; i < array->size(); i++) {
                 result->putDirectIndex(exec, index, array->get(i));
+                RETURN_IF_EXCEPTION(scope, nullptr);
                 ++index;
             }
@@ -2199 +2200 @@
             // We are not spreading.
             result->putDirectIndex(exec, index, value);
+            RETURN_IF_EXCEPTION(scope, nullptr);
             ++index;
         }

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -162 +162 @@
         JSScope::collectClosureVariablesUnderTDZ(callerScopeChain, variablesUnderTDZ);
         eval = DirectEvalExecutable::create(callFrame, makeSource(programSource, callerCodeBlock->source()->sourceOrigin()), callerCodeBlock->isStrictMode(), derivedContextType, isArrowFunctionContext, evalContextType, &variablesUnderTDZ);
-        ASSERT(!!scope.exception() == !eval);
+        EXCEPTION_ASSERT(!!scope.exception() == !eval);
         if (!eval)
             return jsUndefined();
@@ -252 +252 @@
     if (UNLIKELY(!arguments.isCell()) || !length)
         return;
-    
+
+    VM& vm = callFrame->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSCell* cell = arguments.asCell();
 
     switch (cell->type()) {
     case DirectArgumentsType:
+        scope.release();
         jsCast<DirectArguments*>(cell)->copyToArguments(callFrame, firstElementDest, offset, length);
         return;
     case ScopedArgumentsType:
+        scope.release();
         jsCast<ScopedArguments*>(cell)->copyToArguments(callFrame, firstElementDest, offset, length);
         return;
     case JSFixedArrayType:
+        scope.release();
         jsCast<JSFixedArray*>(cell)->copyToArguments(callFrame, firstElementDest, offset, length);
         return;
@@ -269 +274 @@
         JSObject* object = jsCast<JSObject*>(cell);
         if (isJSArray(object)) {
+            scope.release();
             jsCast<JSArray*>(object)->copyToArguments(callFrame, firstElementDest, offset, length);
             return;
@@ -275 +281 @@
         for (i = 0; i < length && object->canGetIndexQuickly(i + offset); ++i)
             callFrame->r(firstElementDest + i) = object->getIndexQuickly(i + offset);
-        for (; i < length; ++i)
-            callFrame->r(firstElementDest + i) = object->get(callFrame, i + offset);
+        for (; i < length; ++i) {
+            JSValue value = object->get(callFrame, i + offset);
+            RETURN_IF_EXCEPTION(scope, void());
+            callFrame->r(firstElementDest + i) = value;
+        }
         return;
     } }
@@ -711 +720 @@
         exceptionValue = jsNull();
 
-    ASSERT_UNUSED(scope, scope.exception() && (!Options::exceptionStackTraceLimit() || scope.exception()->stack().size()));
+    EXCEPTION_ASSERT_UNUSED(scope, scope.exception() && (!Options::exceptionStackTraceLimit() || scope.exception()->stack().size()));
 
     // Calculate an exception handler vPC, unwinding call frames as necessary.
@@ -768 +777 @@
 
     ProgramExecutable* program = ProgramExecutable::create(callFrame, source);
-    ASSERT(throwScope.exception() || program);
+    EXCEPTION_ASSERT(throwScope.exception() || program);
     RETURN_IF_EXCEPTION(throwScope, { });
 
@@ -883 +892 @@
     // Compile source to bytecode if necessary:
     JSObject* error = program->initializeGlobalProperties(vm, callFrame, scope);
-    ASSERT(!throwScope.exception() || !error);
+    EXCEPTION_ASSERT(!throwScope.exception() || !error);
     if (UNLIKELY(error))
         return checkedReturn(throwException(callFrame, throwScope, error));
@@ -891 +900 @@
         CodeBlock* tempCodeBlock;
         JSObject* error = program->prepareForExecution<ProgramExecutable>(vm, nullptr, scope, CodeForCall, tempCodeBlock);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (UNLIKELY(error))
             return checkedReturn(error);
@@ -949 +958 @@
         // Compile the callee:
         JSObject* compileError = callData.js.functionExecutable->prepareForExecution<FunctionExecutable>(vm, jsCast<JSFunction*>(function), scope, CodeForCall, newCodeBlock);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
         if (UNLIKELY(!!compileError))
             return checkedReturn(compileError);
@@ -1016 +1025 @@
         // Compile the callee:
         JSObject* compileError = constructData.js.functionExecutable->prepareForExecution<FunctionExecutable>(vm, jsCast<JSFunction*>(constructor), scope, CodeForConstruct, newCodeBlock);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
         if (UNLIKELY(!!compileError))
             return checkedReturn(compileError);
@@ -1064 +1073 @@
     CodeBlock* newCodeBlock;
     JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(vm, function, scope, CodeForCall, newCodeBlock);
-    ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
+    EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
     if (UNLIKELY(error))
         return CallFrameClosure();
@@ -1147 +1156 @@
         CodeBlock* tempCodeBlock;
         JSObject* compileError = eval->prepareForExecution<EvalExecutable>(vm, nullptr, scope, CodeForCall, tempCodeBlock);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
         if (UNLIKELY(!!compileError))
             return checkedReturn(compileError);
@@ -1200 +1209 @@
                 // We need create this variables because it will be used to emits code by bytecode generator
                 variableObject->methodTable(vm)->put(variableObject, callFrame, function->name(), jsUndefined(), slot);
+                RETURN_IF_EXCEPTION(throwScope, checkedReturn(throwScope.exception()));
             }
         } else {
@@ -1205 +1215 @@
                 FunctionExecutable* function = codeBlock->functionDecl(i);
                 JSValue resolvedScope = JSScope::resolveScopeForHoistingFuncDeclInEval(callFrame, scope, function->name());
+                RETURN_IF_EXCEPTION(throwScope, checkedReturn(throwScope.exception()));
                 if (resolvedScope.isUndefined())
                     return checkedReturn(throwSyntaxError(callFrame, throwScope, makeString("Can't create duplicate variable in eval: '", String(function->name().impl()), "'")));
@@ -1216 +1227 @@
                 const Identifier& ident = codeBlock->functionHoistingCandidate(i);
                 JSValue resolvedScope = JSScope::resolveScopeForHoistingFuncDeclInEval(callFrame, scope, ident);
+                RETURN_IF_EXCEPTION(throwScope, checkedReturn(throwScope.exception()));
                 if (!resolvedScope.isUndefined()) {
-                    if (!variableObject->hasProperty(callFrame, ident)) {
+                    bool hasProperty = variableObject->hasProperty(callFrame, ident);
+                    RETURN_IF_EXCEPTION(throwScope, checkedReturn(throwScope.exception()));
+                    if (!hasProperty) {
                         PutPropertySlot slot(variableObject);
                         variableObject->methodTable(vm)->put(variableObject, callFrame, ident, jsUndefined(), slot);
@@ -1265 +1279 @@
         CodeBlock* tempCodeBlock;
         JSObject* compileError = executable->prepareForExecution<ModuleProgramExecutable>(vm, nullptr, scope, CodeForCall, tempCodeBlock);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(compileError));
         if (UNLIKELY(!!compileError))
             return checkedReturn(compileError);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -354 +354 @@
     Identifier ident = Identifier::fromUid(vm, key);
     LOG_IC((ICEvent::OperationIn, base->classInfo(*vm), ident));
+    scope.release();
     return JSValue::encode(jsBoolean(asObject(base)->hasProperty(exec, ident)));
 }
@@ -554 +555 @@
         if (baseValue.isObject()) {
             JSObject* object = asObject(baseValue);
-            if (object->canSetIndexQuickly(i))
+            if (object->canSetIndexQuickly(i)) {
                 object->setIndexQuickly(vm, i, value);
-            else {
-                // FIXME: This will make us think that in-bounds typed array accesses are actually
-                // out-of-bounds.
-                // https://bugs.webkit.org/show_bug.cgi?id=149886
-                byValInfo->arrayProfile->setOutOfBounds();
-                object->methodTable(vm)->putByIndex(object, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
+                return;
             }
-        } else
-            baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
+
+            // FIXME: This will make us think that in-bounds typed array accesses are actually
+            // out-of-bounds.
+            // https://bugs.webkit.org/show_bug.cgi?id=149886
+            byValInfo->arrayProfile->setOutOfBounds();
+            scope.release();
+            object->methodTable(vm)->putByIndex(object, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
+            return;
+        }
+
+        scope.release();
+        baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
         return;
     }
@@ -604 +610 @@
         }
 
+        scope.release();
         baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
@@ -613 +620 @@
         if (subscriptAsDouble == subscriptAsUInt32 && isIndex(subscriptAsUInt32)) {
             byValInfo->tookSlowPath = true;
+            scope.release();
             baseObject->putDirectIndex(callFrame, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
             return;
@@ -624 +632 @@
     if (std::optional<uint32_t> index = parseIndex(property)) {
         byValInfo->tookSlowPath = true;
+        scope.release();
         baseObject->putDirectIndex(callFrame, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
@@ -958 +967 @@
         CodeBlock** codeBlockSlot = execCallee->addressOfCodeBlock();
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(*vm, callee, scope, kind, *codeBlockSlot);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (error) {
             return encodeResult(
@@ -1017 +1026 @@
         
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(*vm, callee, scope, kind, codeBlock);
-        ASSERT_UNUSED(throwScope, throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT_UNUSED(throwScope, throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (error)
             return;
@@ -1044 +1053 @@
     JSValue calleeAsValue = execCallee->guaranteedJSValueCallee();
     calleeAsFunctionCell = getJSFunction(calleeAsValue);
-    if (UNLIKELY(!calleeAsFunctionCell))
+    if (UNLIKELY(!calleeAsFunctionCell)) {
+        throwScope.release();
         return handleHostCall(execCallee, calleeAsValue, callLinkInfo);
+    }
     
     JSFunction* function = jsCast<JSFunction*>(calleeAsFunctionCell);
@@ -1062 +1073 @@
         CodeBlock** codeBlockSlot = execCallee->addressOfCodeBlock();
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(*vm, function, scope, kind, *codeBlockSlot);
-        ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
+        EXCEPTION_ASSERT(throwScope.exception() == reinterpret_cast<Exception*>(error));
         if (error) {
             return encodeResult(
@@ -1594 +1605 @@
     RETURN_IF_EXCEPTION(scope, void());
 
+    scope.release();
     if (accessorType == AccessorType::Getter)
         base->putGetter(exec, propertyKey, accessor, attribute);
@@ -1761 +1773 @@
             if (asString(baseValue)->canGetIndex(i)) {
                 ctiPatchCallByReturnAddress(returnAddress, FunctionPtr(operationGetByValString));
+                scope.release();
                 return asString(baseValue)->getIndex(exec, i);
             }
@@ -1777 +1790 @@
         }
 
+        scope.release();
         return baseValue.get(exec, i);
     }
@@ -1789 +1803 @@
         byValInfo->tookSlowPath = true;
 
+    scope.release();
     return baseValue.get(exec, property);
 }
@@ -1980 +1995 @@
     if (LIKELY(subscript.isUInt32())) {
         uint32_t i = subscript.asUInt32();
-        if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
-            result = asString(baseValue)->getIndex(exec, i);
-        else {
-            result = baseValue.get(exec, i);
-            if (!isJSString(baseValue)) {
-                ASSERT(exec->bytecodeOffset());
-                ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(byValInfo->stubRoutine ? operationGetByValGeneric : operationGetByValOptimize));
-            }
+        if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i)) {
+            scope.release();
+            return JSValue::encode(asString(baseValue)->getIndex(exec, i));
+        }
+        result = baseValue.get(exec, i);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        if (!isJSString(baseValue)) {
+            ASSERT(exec->bytecodeOffset());
+            ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(byValInfo->stubRoutine ? operationGetByValGeneric : operationGetByValOptimize));
         }
     } else {
@@ -1994 +2010 @@
         auto property = subscript.toPropertyKey(exec);
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        scope.release();
         result = baseValue.get(exec, property);
     }
@@ -2012 +2029 @@
 
     JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
+    RETURN_IF_EXCEPTION(scope, false);
     if (!baseObj)
         return false;
     bool couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, Identifier::fromUid(&vm, uid));
+    RETURN_IF_EXCEPTION(scope, false);
     if (!couldDelete && exec->codeBlock()->isStrictMode())
         throwTypeError(exec, scope, ASCIILiteral(UnableToDeletePropertyError));
@@ -2032 +2051 @@
 
     JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
+    RETURN_IF_EXCEPTION(scope, false);
     JSValue key = JSValue::decode(encodedKey);
     if (!baseObj)
@@ -2041 +2061 @@
         couldDelete = baseObj->methodTable(vm)->deletePropertyByIndex(baseObj, exec, index);
     else {
-        RETURN_IF_EXCEPTION(scope, false);
         Identifier property = key.toPropertyKey(exec);
         RETURN_IF_EXCEPTION(scope, false);
         couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, property);
     }
+    RETURN_IF_EXCEPTION(scope, false);
     if (!couldDelete && exec->codeBlock()->isStrictMode())
         throwTypeError(exec, scope, ASCIILiteral(UnableToDeletePropertyError));
@@ -2198 +2218 @@
     ASSERT(getPutInfo.resolveType() != ModuleVar);
 
+    throwScope.release();
     return JSValue::encode(scope->getPropertySlot(exec, ident, [&] (bool found, PropertySlot& slot) -> JSValue {
         if (!found) {
@@ -2249 +2270 @@
 
     bool hasProperty = scope->hasProperty(exec, ident);
+    EXCEPTION_ASSERT(!throwScope.exception() || !hasProperty);
     if (hasProperty
         && scope->isGlobalLexicalEnvironment()
@@ -2521 +2543 @@
     double a = op1.toNumber(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    scope.release();
     double b = op2.toNumber(exec);
     return JSValue::encode(jsNumber(a * b));
@@ -2622 +2645 @@
     JSValue operand = JSValue::decode(encodedOperand);
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     return JSValue::encode(jsNumber(-number));
 }
@@ -2636 +2658 @@
     arithProfile.observeLHS(operand);
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     JSValue result = jsNumber(-number);
@@ -2673 +2694 @@
     
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSValue result = jsNumber(-number);
     arithProfile->observeResult(result);
@@ -2697 +2717 @@
 
     double number = operand.toNumber(exec);
-    if (UNLIKELY(scope.exception()))
-        return JSValue::encode(JSValue());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     return JSValue::encode(jsNumber(-number));
 }
@@ -2710 +2729 @@
     double a = op1.toNumber(exec);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    scope.release();
     double b = op2.toNumber(exec);
     return JSValue::encode(jsNumber(a - b));

trunk/Source/JavaScriptCore/jsc.cpp

@@ -414 +414 @@
             return throwVMTypeError(exec, scope);
         bool shouldThrow = thisObject->get(exec, PropertyName(Identifier::fromString(exec, "shouldThrow"))).toBoolean(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
         if (shouldThrow)
             return throwVMTypeError(exec, scope);
@@ -1657 +1658 @@
         return rejectPromise(createError(exec, makeString("Could not resolve the referrer name '", String(referrer.impl()), "'.")));
 
-    return JSC::importModule(exec, Identifier::fromString(&vm, resolvePath(directoryName.value(), ModuleName(moduleName))), jsUndefined());
+    auto result = JSC::importModule(exec, Identifier::fromString(&vm, resolvePath(directoryName.value(), ModuleName(moduleName))), jsUndefined());
+    scope.releaseAssertNoException();
+    return result;
 }
 
@@ -1674 +1677 @@
     }
 
-    if (key.isSymbol())
-        return deferred->resolve(exec, keyValue);
-
+    if (key.isSymbol()) {
+        auto result = deferred->resolve(exec, keyValue);
+        scope.releaseAssertNoException();
+        return result;
+    }
     if (referrerValue.isUndefined()) {
         auto directoryName = currentWorkingDirectory();
         if (!directoryName)
             return deferred->reject(exec, createError(exec, ASCIILiteral("Could not resolve the current working directory.")));
-        return deferred->resolve(exec, jsString(exec, resolvePath(directoryName.value(), ModuleName(key.impl()))));
+        auto result = deferred->resolve(exec, jsString(exec, resolvePath(directoryName.value(), ModuleName(key.impl()))));
+        scope.releaseAssertNoException();
+        return result;
     }
 
@@ -1695 +1702 @@
         if (!directoryName)
             return deferred->reject(exec, createError(exec, ASCIILiteral("Could not resolve the current working directory.")));
-        return deferred->resolve(exec, jsString(exec, resolvePath(directoryName.value(), ModuleName(key.impl()))));
+        auto result = deferred->resolve(exec, jsString(exec, resolvePath(directoryName.value(), ModuleName(key.impl()))));
+        scope.releaseAssertNoException();
+        return result;
     }
 
@@ -2713 +2722 @@
     args.append(jsBuffer);
     args.append(jsNumber(message->index()));
+    scope.release();
     return JSValue::encode(call(exec, callback, callType, callData, jsNull(), args));
 }

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -820 +820 @@
     if (subscript.isUInt32()) {
         uint32_t i = subscript.asUInt32();
-        if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
+        if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i)) {
+            scope.release();
             return asString(baseValue)->getIndex(exec, i);
+        }
         scope.release();
         return baseValue.get(exec, i);
@@ -1332 +1334 @@
         CodeBlock** codeBlockSlot = execCallee->addressOfCodeBlock();
         JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(vm, callee, scope, kind, *codeBlockSlot);
-        ASSERT(throwScope.exception() == error);
+        EXCEPTION_ASSERT(throwScope.exception() == error);
         if (UNLIKELY(error))
             LLINT_CALL_THROW(exec, error);

trunk/Source/JavaScriptCore/parser/Parser.h

@@ -1177 +1177 @@
     void popScopeInternal(ScopeRef& scope, bool shouldTrackClosedVariables)
     {
-        ASSERT_UNUSED(scope, scope.index() == m_scopeStack.size() - 1);
+        EXCEPTION_ASSERT_UNUSED(scope, scope.index() == m_scopeStack.size() - 1);
         ASSERT(m_scopeStack.size() > 1);
         m_scopeStack[m_scopeStack.size() - 2].collectFreeVariables(&m_scopeStack.last(), shouldTrackClosedVariables);

trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp

@@ -147 +147 @@
 AbstractModuleRecord* AbstractModuleRecord::hostResolveImportedModule(ExecState* exec, const Identifier& moduleName)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSValue moduleNameValue = identifierToJSValue(exec, moduleName);
     JSValue pair = m_dependenciesMap->JSMap::get(exec, moduleNameValue);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    scope.release();
     return jsCast<AbstractModuleRecord*>(pair.get(exec, Identifier::fromString(exec, "value")));
 }
@@ -154 +158 @@
 auto AbstractModuleRecord::resolveImport(ExecState* exec, const Identifier& localName) -> Resolution
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     std::optional<ImportEntry> optionalImportEntry = tryGetImportEntry(localName.impl());
     if (!optionalImportEntry)
@@ -163 +170 @@
 
     AbstractModuleRecord* importedModule = hostResolveImportedModule(exec, importEntry.moduleRequest);
+    RETURN_IF_EXCEPTION(scope, Resolution::error());
     return importedModule->resolveExport(exec, importEntry.importName);
 }
@@ -237 +245 @@
 auto AbstractModuleRecord::resolveExportImpl(ExecState* exec, const ResolveQuery& root) -> Resolution
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     // http://www.ecma-international.org/ecma-262/6.0/#sec-resolveexport
 
@@ -497 +508 @@
         // Rationale to this error: A default export cannot be provided by an export *.
         VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
         if (query.exportName == vm.propertyNames->defaultKeyword.impl())
             return false;
@@ -515 +527 @@
             const RefPtr<UniquedStringImpl>& starModuleName = *iterator;
             AbstractModuleRecord* importedModuleRecord = query.moduleRecord->hostResolveImportedModule(exec, Identifier::fromUid(exec, starModuleName.get()));
+            RETURN_IF_EXCEPTION(scope, false);
             pendingTasks.append(Task { ResolveQuery(importedModuleRecord, query.exportName.get()), Type::Query });
         }
@@ -577 +590 @@
                 // If there is no matched exported binding in the current module,
                 // we need to look into the stars.
-                if (!resolveNonLocal(task.query))
+                bool success = resolveNonLocal(task.query);
+                EXCEPTION_ASSERT(!scope.exception() || !success);
+                if (!success)
                     return Resolution::error();
                 continue;
@@ -596 +611 @@
             case ExportEntry::Type::Indirect: {
                 AbstractModuleRecord* importedModuleRecord = moduleRecord->hostResolveImportedModule(exec, exportEntry.moduleName);
+                RETURN_IF_EXCEPTION(scope, Resolution::error());
 
                 // When the imported module does not produce any resolved binding, we need to look into the stars in the *current*
@@ -615 +631 @@
                 // Indirect export entry does not produce any resolved binding.
                 // So we will investigate the stars.
-                if (!resolveNonLocal(task.query))
+                bool success = resolveNonLocal(task.query);
+                EXCEPTION_ASSERT(!scope.exception() || !success);
+                if (!success)
                     return Resolution::error();
                 continue;
@@ -664 +682 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     HashSet<AbstractModuleRecord*> exportStarSet;
     Vector<AbstractModuleRecord*, 8> pendingModules;
@@ -683 +703 @@
         for (const auto& starModuleName : moduleRecord->starExportEntries()) {
             AbstractModuleRecord* requestedModuleRecord = moduleRecord->hostResolveImportedModule(exec, Identifier::fromUid(exec, starModuleName.get()));
+            RETURN_IF_EXCEPTION(scope, void());
             pendingModules.append(requestedModuleRecord);
         }
@@ -700 +721 @@
     IdentifierSet exportedNames;
     getExportedNames(exec, this, exportedNames);
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     Vector<std::pair<Identifier, Resolution>> resolutions;
@@ -705 +727 @@
         Identifier ident = Identifier::fromUid(exec, name.get());
         const Resolution resolution = resolveExport(exec, ident);
+        RETURN_IF_EXCEPTION(scope, nullptr);
         switch (resolution.type) {
         case Resolution::Type::NotFound:
@@ -723 +746 @@
     }
 
-    m_moduleNamespaceObject.set(vm, this, JSModuleNamespaceObject::create(exec, globalObject, globalObject->moduleNamespaceObjectStructure(), this, WTFMove(resolutions)));
-    return m_moduleNamespaceObject.get();
+    auto* moduleNamespaceObject = JSModuleNamespaceObject::create(exec, globalObject, globalObject->moduleNamespaceObjectStructure(), this, WTFMove(resolutions));
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    m_moduleNamespaceObject.set(vm, this, moduleNamespaceObject);
+    return moduleNamespaceObject;
 }
 

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -161 +161 @@
     PropertySlot slot(object, PropertySlot::InternalMethodType::HasProperty);
     bool hasProperty = object->getPropertySlot(exec, index, slot);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (!hasProperty)
         return { };
@@ -230 +230 @@
         // We need prototype check for subclasses of Array, which are Array objects but have a different prototype by default.
         bool isValid = speciesWatchpointIsValid(exec, thisObject);
+        scope.assertNoException();
         if (LIKELY(isValid))
             return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
@@ -355 +356 @@
         if (array->length() == length) {
             bool handled = array->unshiftCount<shiftCountMode>(exec, header, count);
-            ASSERT(!scope.exception() || handled);
+            EXCEPTION_ASSERT(!scope.exception() || handled);
             if (handled)
                 return;
@@ -420 +421 @@
 
     StringRecursionChecker checker(exec, thisArray);
-    ASSERT(!scope.exception() || checker.earlyReturnValue());
+    EXCEPTION_ASSERT(!scope.exception() || checker.earlyReturnValue());
     if (JSValue earlyReturnValue = checker.earlyReturnValue())
         return JSValue::encode(earlyReturnValue);
@@ -453 +454 @@
 
     StringRecursionChecker checker(exec, thisObject);
-    ASSERT(!scope.exception() || checker.earlyReturnValue());
+    EXCEPTION_ASSERT(!scope.exception() || checker.earlyReturnValue());
     if (JSValue earlyReturnValue = checker.earlyReturnValue())
         return JSValue::encode(earlyReturnValue);
@@ -666 +667 @@
     // 1. Let O be ? ToObject(this value).
     JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObject);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
     if (UNLIKELY(!thisObject))
         return encodedJSValue();
 
     StringRecursionChecker checker(exec, thisObject);
-    ASSERT(!scope.exception() || checker.earlyReturnValue());
+    EXCEPTION_ASSERT(!scope.exception() || checker.earlyReturnValue());
     if (JSValue earlyReturnValue = checker.earlyReturnValue())
         return JSValue::encode(earlyReturnValue);
@@ -733 +734 @@
 
     JSObject* thisObj = thisValue.toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -772 +773 @@
     
     JSObject* thisObj = thisValue.toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -802 +803 @@
 
     JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObject);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
     if (UNLIKELY(!thisObject))
         return encodedJSValue();
@@ -894 +895 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -921 +922 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return { };
@@ -936 +937 @@
     std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, end - begin);
     // We can only get an exception if we call some user function.
-    ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
+    EXCEPTION_ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
     if (UNLIKELY(speciesResult.first == SpeciesConstructResult::Exception))
         return { };
@@ -977 +978 @@
 
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -985 +986 @@
     if (!exec->argumentCount()) {
         std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, 0);
-        ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
+        EXCEPTION_ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
         if (UNLIKELY(speciesResult.first == SpeciesConstructResult::Exception))
             return encodedJSValue();
@@ -1020 +1021 @@
 
     std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, actualDeleteCount);
-    ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
+    EXCEPTION_ASSERT(!!scope.exception() == (speciesResult.first == SpeciesConstructResult::Exception));
     if (speciesResult.first == SpeciesConstructResult::Exception)
         return JSValue::encode(jsUndefined());
@@ -1075 +1076 @@
 
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -1106 +1107 @@
     // 15.4.4.14
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -1113 +1114 @@
 
     unsigned index = argumentClampedIndexFromStartOrEnd(exec, 1, length);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSValue searchElement = exec->argument(0);
     for (; index < length; ++index) {
@@ -1134 +1136 @@
     // 15.4.4.15
     JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -1224 +1226 @@
 
     bool success = result->appendMemcpy(exec, vm, 0, first);
-    ASSERT(!success || !scope.exception());
+    EXCEPTION_ASSERT(!scope.exception() || !success);
     if (!success) {
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
         bool success = moveElements(exec, vm, result, 0, first, firstArraySize);
-        ASSERT(!scope.exception() == success);
+        EXCEPTION_ASSERT(!scope.exception() == success);
         if (UNLIKELY(!success))
             return encodedJSValue();
@@ -1257 +1259 @@
     // We need to check the species constructor here since checking it in the JS wrapper is too expensive for the non-optimizing tiers.
     bool isValid = speciesWatchpointIsValid(exec, firstArray);
+    scope.assertNoException();
     if (UNLIKELY(!isValid))
         return JSValue::encode(jsNull());
@@ -1291 +1294 @@
 
         bool success = moveElements(exec, vm, result, 0, firstArray, firstArraySize);
-        ASSERT(!scope.exception() == success);
+        EXCEPTION_ASSERT(!scope.exception() == success);
         if (UNLIKELY(!success))
             return encodedJSValue();
         success = moveElements(exec, vm, result, firstArraySize, secondArray, secondArraySize);
-        ASSERT(!scope.exception() == success);
+        EXCEPTION_ASSERT(!scope.exception() == success);
         if (UNLIKELY(!success))
             return encodedJSValue();
@@ -1352 +1355 @@
     unsigned startIndex = static_cast<unsigned>(startValue.asAnyInt());
     bool success = resultArray->appendMemcpy(exec, vm, startIndex, otherArray);
-    ASSERT(!success || !scope.exception());
-    if (!success) {
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
-        moveElements(exec, vm, resultArray, startIndex, otherArray, otherArray->length());
-    }
+    EXCEPTION_ASSERT(!scope.exception() || !success);
+    if (success)
+        return JSValue::encode(jsUndefined());
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    scope.release();
+    moveElements(exec, vm, resultArray, startIndex, otherArray, otherArray->length());
     return JSValue::encode(jsUndefined());
 }

trunk/Source/JavaScriptCore/runtime/CatchScope.h

@@ -69 +69 @@
 #endif // ENABLE(EXCEPTION_SCOPE_VERIFICATION)
 
+#define CLEAR_AND_RETURN_IF_EXCEPTION(scope__, value__) do { \
+        if (UNLIKELY((scope__).exception())) { \
+            (scope__).clearException(); \
+            return value__; \
+        } \
+    } while (false)
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -1045 +1045 @@
                 RELEASE_ASSERT(array->get(i));
                 result->putDirectIndex(exec, index, array->get(i));
+                CHECK_EXCEPTION();
                 ++index;
             }
@@ -1050 +1051 @@
             // We are not spreading.
             result->putDirectIndex(exec, index, value);
+            CHECK_EXCEPTION();
             ++index;
         }

trunk/Source/JavaScriptCore/runtime/DatePrototype.cpp

@@ -928 +928 @@
 
     double milli = timeClip(exec->argument(0).toNumber(exec));
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSValue result = jsNumber(milli);
     thisDateObj->setInternalValue(vm, result);
@@ -961 +962 @@
     GregorianDateTime gregorianDateTime;
     gregorianDateTime.copyFrom(*other);
-    if (!fillStructuresUsingTimeArgs(exec, numArgsToUse, &ms, &gregorianDateTime)) {
+    bool success = fillStructuresUsingTimeArgs(exec, numArgsToUse, &ms, &gregorianDateTime);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    if (!success) {
         JSValue result = jsNaN();
         thisDateObj->setInternalValue(vm, result);

trunk/Source/JavaScriptCore/runtime/DirectArguments.h

@@ -77 +77 @@
         if (UNLIKELY(m_mappedArguments)) {
             VM& vm = exec->vm();
-            return get(exec, vm.propertyNames->length).toUInt32(exec);
+            auto scope = DECLARE_THROW_SCOPE(vm);
+            JSValue value = get(exec, vm.propertyNames->length);
+            RETURN_IF_EXCEPTION(scope, 0);
+            scope.release();
+            return value.toUInt32(exec);
         }
         return m_length;

trunk/Source/JavaScriptCore/runtime/ErrorPrototype.cpp

@@ -81 +81 @@
     // Guard against recursion!
     StringRecursionChecker checker(exec, thisObj);
-    ASSERT(!scope.exception() || checker.earlyReturnValue());
+    EXCEPTION_ASSERT(!scope.exception() || checker.earlyReturnValue());
     if (JSValue earlyReturnValue = checker.earlyReturnValue())
         return JSValue::encode(earlyReturnValue);

trunk/Source/JavaScriptCore/runtime/ExceptionFuzz.cpp

@@ -57 +57 @@
         // even when one may already exist. This is ok for ExceptionFuzz testing, but we need
         // to placate the exception check verifier here.
-        ASSERT(scope.exception() || !scope.exception());
+        EXCEPTION_ASSERT(scope.exception() || !scope.exception());
 
         throwException(exec, scope, createError(exec, ASCIILiteral("Exception Fuzz")));

trunk/Source/JavaScriptCore/runtime/ExceptionScope.h

@@ -33 +33 @@
     
 #if ENABLE(EXCEPTION_SCOPE_VERIFICATION)
-    
+
+#define EXCEPTION_ASSERT(assertion) RELEASE_ASSERT(assertion)
+#define EXCEPTION_ASSERT_UNUSED(variable, assertion) RELEASE_ASSERT(assertion)
+#define EXCEPTION_ASSERT_WITH_MESSAGE(assertion, message) RELEASE_ASSERT_WITH_MESSAGE(assertion, message)
+
 class ExceptionScope {
 public:
@@ -40 +44 @@
     Exception* exception() { return m_vm.exception(); }
 
-    ALWAYS_INLINE void assertNoException() { ASSERT_WITH_MESSAGE(!exception(), "%s", unexpectedExceptionMessage().data()); }
+    ALWAYS_INLINE void assertNoException() { RELEASE_ASSERT_WITH_MESSAGE(!exception(), "%s", unexpectedExceptionMessage().data()); }
     ALWAYS_INLINE void releaseAssertNoException() { RELEASE_ASSERT_WITH_MESSAGE(!exception(), "%s", unexpectedExceptionMessage().data()); }
 
@@ -56 +60 @@
     unsigned m_recursionDepth;
 };
-    
+
 #else // not ENABLE(EXCEPTION_SCOPE_VERIFICATION)
     
+#define EXCEPTION_ASSERT(x) ASSERT(x)
+#define EXCEPTION_ASSERT_UNUSED(variable, assertion) ASSERT_UNUSED(variable, assertion)
+#define EXCEPTION_ASSERT_WITH_MESSAGE(assertion, message) ASSERT_WITH_MESSAGE(assertion, message)
+
 class ExceptionScope {
 public:
@@ -78 +86 @@
     VM& m_vm;
 };
-    
+
 #endif // ENABLE(EXCEPTION_SCOPE_VERIFICATION)
 

trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h

@@ -244 +244 @@
                         ASSERT(value);
                         object->putDirectMayBeIndex(exec, ident, value);
+                        scope.assertNoException();
                     }
                     thisObject->unmapArgument(vm, index);

trunk/Source/JavaScriptCore/runtime/HashMapImpl.h

@@ -637 +637 @@
         while (iter != end) {
             uint32_t index = jsMapHash(exec, vm, iter->key()) & mask;
-            ASSERT_WITH_MESSAGE(!scope.exception(), "All keys should already be hashed before, so this should not throw because it won't resolve ropes.");
+            EXCEPTION_ASSERT_WITH_MESSAGE(!scope.exception(), "All keys should already be hashed before, so this should not throw because it won't resolve ropes.");
             {
                 HashMapBucketType* bucket = buffer[index];

trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp

@@ -1020 +1020 @@
             part->putDirect(vm, vm.propertyNames->value, value);
             parts->push(&exec, part);
+            RETURN_IF_EXCEPTION(scope, { });
         }
         previousEndIndex = endIndex;
@@ -1030 +1031 @@
             part->putDirect(vm, vm.propertyNames->value, value);
             parts->push(&exec, part);
+            RETURN_IF_EXCEPTION(scope, { });
         }
     }

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -166 +166 @@
         // c. Let newLen be ToUint32(Desc.[[Value]]).
         unsigned newLen = descriptor.value().toUInt32(exec);
+        RETURN_IF_EXCEPTION(scope, false);
         // d. If newLen is not equal to ToNumber( Desc.[[Value]]), throw a RangeError exception.
-        if (newLen != descriptor.value().toNumber(exec)) {
+        double valueAsNumber = descriptor.value().toNumber(exec);
+        RETURN_IF_EXCEPTION(scope, false);
+        if (newLen != valueAsNumber) {
             JSC::throwException(exec, scope, createRangeError(exec, ASCIILiteral("Invalid array length")));
             return false;
@@ -199 +202 @@
         // l.iii. If deleteSucceeded is false, then
         bool success = array->setLength(exec, newLen, throwException);
-        ASSERT(!scope.exception() || !success);
+        EXCEPTION_ASSERT(!scope.exception() || !success);
         if (!success) {
             // 1. Set newLenDesc.[[Value] to oldLen+1.
@@ -273 +276 @@
         unsigned newLength = value.toUInt32(exec);
         RETURN_IF_EXCEPTION(scope, false);
-        if (value.toNumber(exec) != static_cast<double>(newLength)) {
+        double valueAsNumber = value.toNumber(exec);
+        RETURN_IF_EXCEPTION(scope, false);
+        if (valueAsNumber != static_cast<double>(newLength)) {
             throwException(exec, scope, createRangeError(exec, ASCIILiteral("Invalid array length")));
             return false;

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp

@@ -151 +151 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (std::optional<uint32_t> index = parseIndex(propertyName))
+    if (std::optional<uint32_t> index = parseIndex(propertyName)) {
+        scope.release();
         return putToPrimitiveByIndex(exec, index.value(), value, slot.isStrictMode());
+    }
 
     // Check if there are any setters or getters in the prototype chain
     JSObject* obj = synthesizePrototype(exec);
+    EXCEPTION_ASSERT(!!scope.exception() == !obj);
     if (UNLIKELY(!obj))
         return false;
@@ -177 +180 @@
 
             JSValue gs = obj->getDirect(offset);
-            if (gs.isGetterSetter())
+            if (gs.isGetterSetter()) {
+                scope.release();
                 return callSetter(exec, *this, gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+            }
 
             if (gs.isCustomGetterSetter())
@@ -208 +213 @@
     
     JSObject* prototype = synthesizePrototype(exec);
-    ASSERT(!prototype == !!scope.exception());
+    EXCEPTION_ASSERT(!!scope.exception() == !prototype);
     if (UNLIKELY(!prototype))
         return false;
     bool putResult = false;
-    if (prototype->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow, putResult))
+    bool success = prototype->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow, putResult);
+    RETURN_IF_EXCEPTION(scope, false);
+    if (success)
         return putResult;
     

trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

@@ -60 +60 @@
 
     double d = toNumber(exec);
-
+    RETURN_IF_EXCEPTION(scope, 0);
     if (d <= -1) {
         throwException(exec, scope, createRangeError(exec, makeString(errorName, " cannot be negative")));
@@ -72 +72 @@
     if (isInt32())
         return asInt32();
+    scope.release();
     return JSC::toInt32(d);
 }
@@ -797 +798 @@
 ALWAYS_INLINE JSValue JSValue::get(ExecState* exec, PropertyName propertyName, PropertySlot& slot) const
 {
-    return getPropertySlot(exec, propertyName, slot) ? 
-        slot.getValue(exec, propertyName) : jsUndefined();
+    auto scope = DECLARE_THROW_SCOPE(exec->vm());
+    bool hasSlot = getPropertySlot(exec, propertyName, slot);
+    EXCEPTION_ASSERT(!scope.exception() || !hasSlot);
+    if (!hasSlot)
+        return jsUndefined();
+    scope.release();
+    return slot.getValue(exec, propertyName);
 }
 
@@ -814 +820 @@
     bool found = getPropertySlot(exec, propertyName, slot);
     RETURN_IF_EXCEPTION(scope, { });
+    scope.release();
     return callback(found, slot);
 }
@@ -819 +826 @@
 ALWAYS_INLINE bool JSValue::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot) const
 {
+    auto scope = DECLARE_THROW_SCOPE(exec->vm());
     // If this is a primitive, we'll need to synthesize the prototype -
     // and if it's a string there are special properties to check first.
     JSObject* object;
     if (UNLIKELY(!isObject())) {
-        if (isString() && asString(*this)->getStringPropertySlot(exec, propertyName, slot))
-            return true;
+        if (isString()) {
+            bool hasProperty = asString(*this)->getStringPropertySlot(exec, propertyName, slot);
+            RETURN_IF_EXCEPTION(scope, false);
+            if (hasProperty)
+                return true;
+        }
         object = synthesizePrototype(exec);
+        EXCEPTION_ASSERT(!!scope.exception() == !object);
         if (UNLIKELY(!object))
             return false;
     } else
         object = asObject(asCell());
-    
+
+    scope.release();
     return object->getPropertySlot(exec, propertyName, slot);
 }
@@ -842 +856 @@
 ALWAYS_INLINE JSValue JSValue::get(ExecState* exec, unsigned propertyName, PropertySlot& slot) const
 {
+    auto scope = DECLARE_THROW_SCOPE(exec->vm());
     // If this is a primitive, we'll need to synthesize the prototype -
     // and if it's a string there are special properties to check first.
     JSObject* object;
     if (UNLIKELY(!isObject())) {
-        if (isString() && asString(*this)->getStringPropertySlot(exec, propertyName, slot))
-            return slot.getValue(exec, propertyName);
+        if (isString()) {
+            bool hasProperty = asString(*this)->getStringPropertySlot(exec, propertyName, slot);
+            RETURN_IF_EXCEPTION(scope, { });
+            if (hasProperty) {
+                scope.release();
+                return slot.getValue(exec, propertyName);
+            }
+        }
         object = synthesizePrototype(exec);
+        EXCEPTION_ASSERT(!!scope.exception() == !object);
         if (UNLIKELY(!object))
             return JSValue();
@@ -854 +876 @@
         object = asObject(asCell());
     
-    if (object->getPropertySlot(exec, propertyName, slot))
-        return slot.getValue(exec, propertyName);
-    return jsUndefined();
+    bool hasSlot = object->getPropertySlot(exec, propertyName, slot);
+    EXCEPTION_ASSERT(!scope.exception() || !hasSlot);
+    if (!hasSlot)
+        return jsUndefined();
+    scope.release();
+    return slot.getValue(exec, propertyName);
 }
 
@@ -922 +947 @@
         bool s1 = v1.isString();
         bool s2 = v2.isString();
-        if (s1 && s2)
+        if (s1 && s2) {
+            scope.release();
             return asString(v1)->equal(exec, asString(v2));
+        }
 
         if (v1.isUndefinedOrNull()) {
@@ -969 +996 @@
         if (s1 || s2) {
             double d1 = v1.toNumber(exec);
+            RETURN_IF_EXCEPTION(scope, false);
             double d2 = v2.toNumber(exec);
+            RETURN_IF_EXCEPTION(scope, false);
             return d1 == d2;
         }

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -101 +101 @@
 
     ViewClass* result = ViewClass::createUninitialized(exec, structure, storage.size());
-    ASSERT(!!scope.exception() == !result);
+    EXCEPTION_ASSERT(!!scope.exception() == !result);
     if (UNLIKELY(!result))
         return nullptr;
@@ -107 +107 @@
     for (unsigned i = 0; i < storage.size(); ++i) {
         bool success = result->setIndex(exec, i, storage.at(i));
-        ASSERT(scope.exception() || success);
+        EXCEPTION_ASSERT(scope.exception() || success);
         if (!success)
             return nullptr;
@@ -198 +198 @@
         
         ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
-        ASSERT(!!scope.exception() == !result);
+        EXCEPTION_ASSERT(!!scope.exception() == !result);
         if (UNLIKELY(!result))
             return nullptr;

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

@@ -253 +253 @@
         RELEASE_ASSERT(other->canAccessRangeQuickly(objectOffset, length));
         bool success = validateRange(exec, offset, length);
-        ASSERT(!scope.exception() == success);
+        EXCEPTION_ASSERT(!scope.exception() == success);
         if (!success)
             return false;
@@ -301 +301 @@
     case TypeDataView: {
         bool success = validateRange(exec, offset, length);
-        ASSERT(!scope.exception() == success);
+        EXCEPTION_ASSERT(!scope.exception() == success);
         if (!success)
             return false;
@@ -310 +310 @@
             RETURN_IF_EXCEPTION(scope, false);
             bool success = setIndex(exec, offset + i, value);
-            ASSERT(!scope.exception() || !success);
+            EXCEPTION_ASSERT(!scope.exception() || !success);
             if (!success)
                 return false;

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -1046 +1046 @@
     bool putResult = false;
     bool done = symbolTablePutTouchWatchpointSet(thisObject, exec, propertyName, value, shouldThrowReadOnlyError, ignoreReadOnlyErrors, putResult);
-    ASSERT((!!scope.exception() == (done && !putResult)) || !shouldThrowReadOnlyError);
+    EXCEPTION_ASSERT((!!scope.exception() == (done && !putResult)) || !shouldThrowReadOnlyError);
     if (done)
         return putResult;

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -232 +232 @@
         builder.append(c);
     }
+    scope.release();
     return builder.build(exec);
 }
@@ -487 +488 @@
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
+    JSValue parsedObject;
     if (s.is8Bit()) {
         LiteralParser<LChar> preparser(exec, s.characters8(), s.length(), NonStrictJSON);
-        if (JSValue parsedObject = preparser.tryLiteralParse())
-            return JSValue::encode(parsedObject);
+        parsedObject = preparser.tryLiteralParse();
     } else {
         LiteralParser<UChar> preparser(exec, s.characters16(), s.length(), NonStrictJSON);
-        if (JSValue parsedObject = preparser.tryLiteralParse())
-            return JSValue::encode(parsedObject);
-    }
+        parsedObject = preparser.tryLiteralParse();
+    }
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    if (parsedObject)
+        return JSValue::encode(parsedObject);
 
     SourceOrigin sourceOrigin = exec->callerSourceOrigin();
     JSGlobalObject* calleeGlobalObject = exec->jsCallee()->globalObject();
     EvalExecutable* eval = IndirectEvalExecutable::create(exec, makeSource(s, sourceOrigin), false, DerivedContextType::None, false, EvalContextType::None);
+    EXCEPTION_ASSERT(!!scope.exception() == !eval);
     if (!eval)
-        return JSValue::encode(jsUndefined());
-
+        return encodedJSValue();
+
+    scope.release();
     return JSValue::encode(vm.interpreter->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject->globalScope()));
 }
@@ -707 +712 @@
     if (!thisObject) {
         JSObject* prototype = exec->thisValue().synthesizePrototype(exec);
+        EXCEPTION_ASSERT(!!scope.exception() == !prototype);
         if (UNLIKELY(!prototype))
             return JSValue::encode(JSValue());
@@ -712 +718 @@
     }
 
+    scope.release();
     return JSValue::encode(thisObject->getPrototype(vm, exec));
 }
@@ -736 +743 @@
         return JSValue::encode(jsUndefined());
 
+    scope.release();
     bool shouldThrowIfCantSet = true;
     thisObject->setPrototype(vm, exec, value, shouldThrowIfCantSet);
@@ -778 +786 @@
 
     auto* promise = JSPromiseDeferred::create(exec, globalObject);
-    RETURN_IF_EXCEPTION(catchScope, { });
+    CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, encodedJSValue());
 
     auto sourceOrigin = exec->callerSourceOrigin();
@@ -786 +794 @@
         catchScope.clearException();
         promise->reject(exec, exception->value());
+        CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, encodedJSValue());
         return JSValue::encode(promise->promise());
     }
@@ -793 +802 @@
         catchScope.clearException();
         promise->reject(exec, exception->value());
+        CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, encodedJSValue());
         return JSValue::encode(promise->promise());
     }
     promise->resolve(exec, internalPromise);
+    CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, encodedJSValue());
 
     return JSValue::encode(promise->promise());

trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp

@@ -54 +54 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSObject* function = jsCast<JSObject*>(get(exec, vm.propertyNames->builtinNames().thenPublicName()));
+    RETURN_IF_EXCEPTION(scope, nullptr);
     CallData callData;
     CallType callType = JSC::getCallData(function, callData);
@@ -63 +66 @@
     arguments.append(onRejected ? onRejected : jsUndefined());
 
+    scope.release();
     return jsCast<JSInternalPromise*>(call(exec, function, callType, callData, this, arguments));
 }

trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp

@@ -41 +41 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
 
     JSValue deferred = newPromiseCapability(exec, globalObject, globalObject->internalPromiseConstructor());
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     JSValue promise = deferred.get(exec, vm.propertyNames->builtinNames().promisePrivateName());
+    RETURN_IF_EXCEPTION(scope, nullptr);
     ASSERT(promise.inherits(vm, JSInternalPromise::info()));
     JSValue resolve = deferred.get(exec, vm.propertyNames->builtinNames().resolvePrivateName());
+    RETURN_IF_EXCEPTION(scope, nullptr);
     JSValue reject = deferred.get(exec, vm.propertyNames->builtinNames().rejectPrivateName());
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     JSInternalPromiseDeferred* result = new (NotNull, allocateCell<JSInternalPromiseDeferred>(vm.heap)) JSInternalPromiseDeferred(vm);

trunk/Source/JavaScriptCore/runtime/JSJob.cpp

@@ -72 +72 @@
 
     MarkedArgumentBuffer handlerArguments;
-    for (unsigned index = 0, length = m_arguments->length(); index < length; ++index)
-        handlerArguments.append(m_arguments->JSArray::get(exec, index));
+    for (unsigned index = 0, length = m_arguments->length(); index < length; ++index) {
+        JSValue arg = m_arguments->JSArray::get(exec, index);
+        CLEAR_AND_RETURN_IF_EXCEPTION(scope, void());
+        handlerArguments.append(arg);
+    }
     profiledCall(exec, ProfilingReason::Microtask, m_job.get(), handlerCallType, handlerCallData, jsUndefined(), handlerArguments);
     scope.clearException();

trunk/Source/JavaScriptCore/runtime/JSModuleEnvironment.cpp

@@ -84 +84 @@
     JSModuleEnvironment* thisObject = jsCast<JSModuleEnvironment*>(cell);
     AbstractModuleRecord::Resolution resolution = thisObject->moduleRecord()->resolveImport(exec, Identifier::fromUid(exec, propertyName.uid()));
+    RETURN_IF_EXCEPTION(scope, false);
     if (resolution.type == AbstractModuleRecord::Resolution::Type::Resolved) {
         // When resolveImport resolves the resolution, the imported module environment must have the binding.
@@ -121 +122 @@
     // All imported bindings are immutable.
     AbstractModuleRecord::Resolution resolution = thisObject->moduleRecord()->resolveImport(exec, Identifier::fromUid(exec, propertyName.uid()));
+    RETURN_IF_EXCEPTION(scope, false);
     if (resolution.type == AbstractModuleRecord::Resolution::Type::Resolved) {
         throwTypeError(exec, scope, ASCIILiteral(ReadonlyPropertyWriteError));
@@ -130 +132 @@
 bool JSModuleEnvironment::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSModuleEnvironment* thisObject = jsCast<JSModuleEnvironment*>(cell);
     // All imported bindings are immutable.
     AbstractModuleRecord::Resolution resolution = thisObject->moduleRecord()->resolveImport(exec, Identifier::fromUid(exec, propertyName.uid()));
+    RETURN_IF_EXCEPTION(scope, false);
     if (resolution.type == AbstractModuleRecord::Resolution::Type::Resolved)
         return false;

trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp

@@ -82 +82 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSObject* function = jsCast<JSObject*>(get(exec, vm.propertyNames->builtinNames().providePublicName()));
+    RETURN_IF_EXCEPTION(scope, { });
     CallData callData;
     CallType callType = JSC::getCallData(function, callData);
@@ -93 +96 @@
     arguments.append(JSSourceCode::create(vm, WTFMove(source)));
 
+    scope.release();
     return call(exec, function, callType, callData, this, arguments);
 }
@@ -99 +103 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSObject* function = jsCast<JSObject*>(get(exec, vm.propertyNames->builtinNames().loadAndEvaluateModulePublicName()));
+    RETURN_IF_EXCEPTION(scope, nullptr);
     CallData callData;
     CallType callType = JSC::getCallData(function, callData);
@@ -109 +116 @@
     arguments.append(scriptFetcher);
 
+    scope.release();
     return jsCast<JSInternalPromise*>(call(exec, function, callType, callData, this, arguments));
 }
@@ -115 +123 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSObject* function = jsCast<JSObject*>(get(exec, vm.propertyNames->builtinNames().loadModulePublicName()));
+    RETURN_IF_EXCEPTION(scope, nullptr);
     CallData callData;
     CallType callType = JSC::getCallData(function, callData);
@@ -125 +136 @@
     arguments.append(scriptFetcher);
 
+    scope.release();
     return jsCast<JSInternalPromise*>(call(exec, function, callType, callData, this, arguments));
 }
@@ -131 +143 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSObject* function = jsCast<JSObject*>(get(exec, vm.propertyNames->builtinNames().linkAndEvaluateModulePublicName()));
+    RETURN_IF_EXCEPTION(scope, { });
     CallData callData;
     CallType callType = JSC::getCallData(function, callData);
@@ -140 +155 @@
     arguments.append(scriptFetcher);
 
+    scope.release();
     return call(exec, function, callType, callData, this, arguments);
 }
@@ -146 +162 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     auto* function = jsCast<JSObject*>(get(exec, vm.propertyNames->builtinNames().requestImportModulePublicName()));
+    RETURN_IF_EXCEPTION(scope, nullptr);
     CallData callData;
     auto callType = JSC::getCallData(function, callData);
@@ -155 +174 @@
     arguments.append(scriptFetcher);
 
+    scope.release();
     return jsCast<JSInternalPromise*>(call(exec, function, callType, callData, this, arguments));
 }

trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp

@@ -83 +83 @@
 
     ModuleProgramExecutable* executable = ModuleProgramExecutable::create(exec, sourceCode());
+    EXCEPTION_ASSERT(!!scope.exception() == !executable);
     if (!executable) {
         throwSyntaxError(exec, scope);
@@ -111 +112 @@
         if (exportEntry.type == JSModuleRecord::ExportEntry::Type::Indirect) {
             Resolution resolution = resolveExport(exec, exportEntry.exportName);
+            RETURN_IF_EXCEPTION(scope, void());
             switch (resolution.type) {
             case Resolution::Type::NotFound:
@@ -137 +139 @@
         const ImportEntry& importEntry = pair.value;
         AbstractModuleRecord* importedModule = hostResolveImportedModule(exec, importEntry.moduleRequest);
+        RETURN_IF_EXCEPTION(scope, void());
         if (importEntry.isNamespace(vm)) {
             JSModuleNamespaceObject* namespaceObject = importedModule->getModuleNamespace(exec);
@@ -142 +145 @@
             bool putResult = false;
             symbolTablePutTouchWatchpointSet(moduleEnvironment, exec, importEntry.localName, namespaceObject, /* shouldThrowReadOnlyError */ false, /* ignoreReadOnlyErrors */ true, putResult);
+            RETURN_IF_EXCEPTION(scope, void());
         } else {
             Resolution resolution = importedModule->resolveExport(exec, importEntry.importName);
+            RETURN_IF_EXCEPTION(scope, void());
             switch (resolution.type) {
             case Resolution::Type::NotFound:
@@ -174 +179 @@
             bool putResult = false;
             symbolTablePutTouchWatchpointSet(moduleEnvironment, exec, Identifier::fromUid(exec, variable.key.get()), jsUndefined(), /* shouldThrowReadOnlyError */ false, /* ignoreReadOnlyErrors */ true, putResult);
+            RETURN_IF_EXCEPTION(scope, void());
         }
     }
@@ -196 +202 @@
             bool putResult = false;
             symbolTablePutTouchWatchpointSet(moduleEnvironment, exec, unlinkedFunctionExecutable->name(), function, /* shouldThrowReadOnlyError */ false, /* ignoreReadOnlyErrors */ true, putResult);
+            RETURN_IF_EXCEPTION(scope, void());
         }
     }

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -276 +276 @@
     Holder root(Holder::RootHolder, vm, object);
     auto stringifyResult = appendStringifiedValue(result, value.get(), root, emptyPropertyName);
-    ASSERT(!scope.exception() || (stringifyResult != StringifySucceeded));
+    EXCEPTION_ASSERT(!scope.exception() || (stringifyResult != StringifySucceeded));
     if (UNLIKELY(stringifyResult != StringifySucceeded))
         return Local<Unknown>(vm, jsUndefined());
@@ -295 +295 @@
     PropertySlot slot(object, PropertySlot::InternalMethodType::Get);
     bool hasProperty = object->getPropertySlot(m_exec, vm.propertyNames->toJSON, slot);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (!hasProperty)
         return value;
@@ -795 +795 @@
         LiteralParser<LChar> jsonParser(exec, view.characters8(), view.length(), StrictJSON);
         unfiltered = jsonParser.tryLiteralParse();
-        ASSERT(!scope.exception() || !unfiltered);
+        EXCEPTION_ASSERT(!scope.exception() || !unfiltered);
         if (!unfiltered) {
             RETURN_IF_EXCEPTION(scope, { });
@@ -803 +803 @@
         LiteralParser<UChar> jsonParser(exec, view.characters16(), view.length(), StrictJSON);
         unfiltered = jsonParser.tryLiteralParse();
-        ASSERT(!scope.exception() || !unfiltered);
+        EXCEPTION_ASSERT(!scope.exception() || !unfiltered);
         if (!unfiltered) {
             RETURN_IF_EXCEPTION(scope, { });

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -536 +536 @@
     PropertyName constructor(vm.propertyNames->constructor);
     if (object->getPropertySlot(exec, constructor, slot)) {
+        EXCEPTION_ASSERT(!scope.exception());
         if (slot.isValue()) {
             JSValue constructorValue = slot.getValue(exec, constructor);
@@ -550 +551 @@
         }
     }
-    ASSERT(!scope.exception() || prototypeFunctionName.isNull());
+    EXCEPTION_ASSERT(!scope.exception() || prototypeFunctionName.isNull());
     if (UNLIKELY(scope.exception()))
         scope.clearException();
@@ -659 +660 @@
             ProxyObject* proxy = jsCast<ProxyObject*>(current);
             PutPropertySlot slot(receiver, shouldThrow);
+            scope.release();
             return proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
         }
@@ -717 +719 @@
 
             // 9.1.9.1-4-d-iv Return ? Receiver.[[DefineOwnProperty]](P, valueDesc).
+            scope.release();
             return receiverObject->methodTable(vm)->defineOwnProperty(receiverObject, exec, propertyName, valueDescriptor, shouldThrow);
         }
@@ -722 +725 @@
         // 9.1.9.1-4-e Else Receiver does not currently have a property P,
         // 9.1.9.1-4-e-i Return ? CreateDataProperty(Receiver, P, V).
+        scope.release();
         return receiverObject->methodTable(vm)->defineOwnProperty(receiverObject, exec, propertyName, PropertyDescriptor(value, None), shouldThrow);
     }
@@ -741 +745 @@
     CallData callData;
     CallType callType = setterObject->methodTable(vm)->getCallData(setterObject, callData);
+    scope.release();
     call(exec, setterObject, callType, callData, receiver, args);
 
@@ -773 +778 @@
             if (gs.isGetterSetter()) {
                 bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+                RETURN_IF_EXCEPTION(scope, false);
                 if (!structure()->isDictionary())
                     slot.setCacheableSetter(obj, offset);
@@ -793 +799 @@
         if (!obj->staticPropertiesReified()) {
             if (obj->classInfo(vm)->hasStaticSetterOrReadonlyProperties()) {
-                if (auto entry = obj->findPropertyHashEntry(vm, propertyName))
+                if (auto entry = obj->findPropertyHashEntry(vm, propertyName)) {
+                    scope.release();
                     return putEntry(exec, entry->table->classForThis, entry->value, obj, this, propertyName, value, slot);
+                }
             }
         }
@@ -802 +810 @@
             // https://bugs.webkit.org/show_bug.cgi?id=155012
             ProxyObject* proxy = jsCast<ProxyObject*>(obj);
+            scope.release();
             return proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
         }
@@ -1948 +1957 @@
     if (hint == PreferString) {
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->toString, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->valueOf, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
     } else {
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->valueOf, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->toString, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
@@ -1986 +1995 @@
         return value;
 
+    scope.release();
     return this->methodTable(vm)->defaultValue(this, exec, preferredType);
 }
@@ -2047 +2057 @@
         JSValue prototype = get(exec, vm.propertyNames->prototype);
         RETURN_IF_EXCEPTION(scope, false);
+        scope.release();
         return defaultHasInstance(exec, value, prototype);
     }
-    if (info.implementsHasInstance())
+    if (info.implementsHasInstance()) {
+        scope.release();
         return methodTable(vm)->customHasInstance(this, exec, value);
+    }
     throwException(exec, scope, createInvalidInstanceofParameterErrorNotFunction(exec, this));
     return false;
@@ -2062 +2075 @@
     RETURN_IF_EXCEPTION(scope, false);
 
+    scope.release();
     return hasInstance(exec, value, hasInstanceValue);
 }
@@ -2114 +2128 @@
     while(1) {
         if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
+            scope.release();
             prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
-            break;
+            return;
         }
         prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);
@@ -2222 +2237 @@
     JSValue primitive = toPrimitive(exec, PreferNumber);
     RETURN_IF_EXCEPTION(scope, 0.0); // should be picked up soon in Nodes.cpp
+    scope.release();
     return primitive.toNumber(exec);
 }
@@ -2389 +2405 @@
         if (!descriptor.attributes() && descriptor.value() && canDoFastPutDirectIndex(this)) {
             ASSERT(!descriptor.isAccessorDescriptor());
+            scope.release();
             return putDirectIndex(exec, index, descriptor.value(), 0, throwException ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         }
@@ -2440 +2457 @@
     PropertyDescriptor current;
     entryInMap->get(current);
-    if (descriptor.isEmpty() || descriptor.equalTo(exec, current))
+    bool isEmptyOrEqual = descriptor.isEmpty() || descriptor.equalTo(exec, current);
+    RETURN_IF_EXCEPTION(scope, false);
+    if (isEmptyOrEqual)
         return true;
 
@@ -2575 +2594 @@
         SparseArrayValueMap* map = allocateSparseIndexMap(vm);
         bool result = map->putEntry(exec, this, i, value, false);
+        RETURN_IF_EXCEPTION(scope, false);
         ASSERT(i >= arrayStorage()->length());
         arrayStorage()->setLength(i + 1);
@@ -2648 +2668 @@
         // We don't want to, or can't use a vector to hold this property - allocate a sparse map & add the value.
         map = allocateSparseIndexMap(vm);
+        scope.release();
         return map->putEntry(exec, this, i, value, shouldThrow);
     }
@@ -2664 +2685 @@
     // We will continue  to use a sparse map if SparseMode is set, a vector would be too sparse, or if allocation fails.
     unsigned numValuesInArray = storage->m_numValuesInVector + map->size();
-    if (map->sparseMode() || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length))
+    if (map->sparseMode() || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length)) {
+        scope.release();
         return map->putEntry(exec, this, i, value, shouldThrow);
+    }
 
     // Reread m_storage after increaseVectorLength, update m_numValuesInVector.
@@ -2784 +2807 @@
         // We don't want to, or can't use a vector to hold this property - allocate a sparse map & add the value.
         map = allocateSparseIndexMap(vm);
+        scope.release();
         return map->putDirect(exec, this, i, value, attributes, mode);
     }
@@ -2804 +2828 @@
     // We will continue  to use a sparse map if SparseMode is set, a vector would be too sparse, or if allocation fails.
     unsigned numValuesInArray = storage->m_numValuesInVector + map->size();
-    if (map->sparseMode() || attributes || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length))
+    if (map->sparseMode() || attributes || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length)) {
+        scope.release();
         return map->putDirect(exec, this, i, value, attributes, mode);
+    }
 
     // Reread m_storage after increaseVectorLength, update m_numValuesInVector.
@@ -3352 +3378 @@
         return true;
     // Step 4.
-    if (current.equalTo(exec, descriptor))
+    bool isEqual = current.equalTo(exec, descriptor);
+    RETURN_IF_EXCEPTION(scope, false);
+    if (isEqual)
         return true;
 
@@ -3369 +3397 @@
         if (!current.attributesEqual(descriptor) && object) {
             object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+            RETURN_IF_EXCEPTION(scope, false);
             return putDescriptor(exec, object, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
         }
@@ -3384 +3413 @@
 
         object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+        RETURN_IF_EXCEPTION(scope, false);
         return putDescriptor(exec, object, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
     }
@@ -3403 +3433 @@
             return true;
         object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+        RETURN_IF_EXCEPTION(scope, false);
         return putDescriptor(exec, object, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
     }
@@ -3448 +3479 @@
         return true;
     object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+    RETURN_IF_EXCEPTION(scope, false);
     unsigned attrs = descriptor.attributesOverridingCurrent(current);
     object->putDirectAccessor(exec, propertyName, getterSetter, attrs | Accessor);
@@ -3467 +3499 @@
     bool isExtensible = this->isExtensible(exec);
     RETURN_IF_EXCEPTION(throwScope, false);
+    throwScope.release();
     return validateAndApplyPropertyDescriptor(exec, this, propertyName, isExtensible, descriptor, isCurrentDefined, current, throwException);
 }
@@ -3595 +3628 @@
     while (true) {
         if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
+            scope.release();
             prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
-            break;
+            return;
         }
         prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -1414 +1414 @@
 inline JSValue JSObject::get(ExecState* exec, PropertyName propertyName) const
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
-    if (const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot))
+    bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+    if (hasProperty) {
+        scope.release();
         return slot.getValue(exec, propertyName);
-    
+    }
     return jsUndefined();
 }
@@ -1423 +1428 @@
 inline JSValue JSObject::get(ExecState* exec, unsigned propertyName) const
 {
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
-    if (const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot))
+    bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+    if (hasProperty) {
+        scope.release();
         return slot.getValue(exec, propertyName);
-
+    }
     return jsUndefined();
 }

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

@@ -98 +98 @@
     bool found = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
     RETURN_IF_EXCEPTION(scope, { });
+    scope.release();
     return callback(found, slot);
 }
@@ -110 +111 @@
     while (true) {
         Structure* structure = structureIDTable.get(object->structureID());
-        if (structure->classInfo()->methodTable.getOwnPropertySlotByIndex(object, exec, propertyName, slot))
+        bool hasSlot = structure->classInfo()->methodTable.getOwnPropertySlotByIndex(object, exec, propertyName, slot);
+        RETURN_IF_EXCEPTION(scope, false);
+        if (hasSlot)
             return true;
-        RETURN_IF_EXCEPTION(scope, false);
         JSValue prototype;
         if (LIKELY(structure->classInfo()->methodTable.getPrototype == defaultGetPrototype || slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry))
@@ -142 +144 @@
                 return true;
         } else {
-            if (structure->classInfo()->methodTable.getOwnPropertySlot(object, exec, propertyName, slot))
+            bool hasSlot = structure->classInfo()->methodTable.getOwnPropertySlot(object, exec, propertyName, slot);
+            RETURN_IF_EXCEPTION(scope, false);
+            if (hasSlot)
                 return true;
-            RETURN_IF_EXCEPTION(scope, false);
         }
         JSValue prototype;
@@ -204 +207 @@
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(thisObject));
 
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
+    if (UNLIKELY(isThisValueAltered(slot, thisObject))) {
+        scope.release();
         return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
+    }
 
     // Try indexed put first. This is required for correctness, since loads on property names that appear like
     // valid indices will never look in the named property storage.
-    if (std::optional<uint32_t> index = parseIndex(propertyName))
+    if (std::optional<uint32_t> index = parseIndex(propertyName)) {
+        scope.release();
         return putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode());
+    }
 
     if (thisObject->canPerformFastPutInline(vm, propertyName)) {

trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp

@@ -107 +107 @@
     JSPromise* promise = JSPromise::create(vm, promiseStructure);
     promise->initialize(exec, globalObject, exec->argument(0));
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     return JSValue::encode(promise);

trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp

@@ -62 +62 @@
 
     JSValue promise = deferred.get(exec, vm.propertyNames->builtinNames().promisePrivateName());
+    RETURN_IF_EXCEPTION(scope, nullptr);
     ASSERT(promise.inherits(vm, JSPromise::info()));
     JSValue resolve = deferred.get(exec, vm.propertyNames->builtinNames().resolvePrivateName());
+    RETURN_IF_EXCEPTION(scope, nullptr);
     JSValue reject = deferred.get(exec, vm.propertyNames->builtinNames().rejectPrivateName());
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     return JSPromiseDeferred::create(vm, jsCast<JSPromise*>(promise), resolve, reject);

trunk/Source/JavaScriptCore/runtime/JSScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2012-2017 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -51 +51 @@
 static inline bool abstractAccess(ExecState* exec, JSScope* scope, const Identifier& ident, GetOrPut getOrPut, size_t depth, bool& needsVarInjectionChecks, ResolveOp& op, InitializationMode initializationMode)
 {
+    VM& vm = exec->vm();
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
     if (scope->isJSLexicalEnvironment()) {
         JSLexicalEnvironment* lexicalEnvironment = jsCast<JSLexicalEnvironment*>(scope);
@@ -76 +79 @@
             AbstractModuleRecord* moduleRecord = moduleEnvironment->moduleRecord();
             AbstractModuleRecord::Resolution resolution = moduleRecord->resolveImport(exec, ident);
+            RETURN_IF_EXCEPTION(throwScope, false);
             if (resolution.type == AbstractModuleRecord::Resolution::Type::Resolved) {
                 AbstractModuleRecord* importedRecord = resolution.moduleRecord;
@@ -247 +251 @@
         if (hasProperty) {
             bool unscopable = isUnscopable(exec, scope, object, ident);
-            ASSERT(!throwScope.exception() || !unscopable);
+            EXCEPTION_ASSERT(!throwScope.exception() || !unscopable);
             if (!unscopable)
                 return object;
@@ -260 +264 @@
 {
     VM& vm = exec->vm();
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
     auto returnPredicate = [&] (JSScope* scope) -> bool {
         return scope->isVarScope();
@@ -267 +273 @@
     };
     JSObject* object = resolve(exec, scope, ident, returnPredicate, skipPredicate);
-    
+    RETURN_IF_EXCEPTION(throwScope, { });
+
     bool result = false;
     if (JSScope* scope = jsDynamicCast<JSScope*>(vm, object)) {
@@ -293 +300 @@
 ResolveOp JSScope::abstractResolve(ExecState* exec, size_t depthOffset, JSScope* scope, const Identifier& ident, GetOrPut getOrPut, ResolveType unlinkedType, InitializationMode initializationMode)
 {
+    VM& vm = exec->vm();
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
     ResolveOp op(Dynamic, 0, 0, 0, 0, 0);
     if (unlinkedType == Dynamic)
@@ -300 +310 @@
     size_t depth = depthOffset;
     for (; scope; scope = scope->next()) {
-        if (abstractAccess(exec, scope, ident, getOrPut, depth, needsVarInjectionChecks, op, initializationMode))
+        bool success = abstractAccess(exec, scope, ident, getOrPut, depth, needsVarInjectionChecks, op, initializationMode);
+        RETURN_IF_EXCEPTION(throwScope, ResolveOp(Dynamic, 0, 0, 0, 0, 0));
+        if (success)
             break;
         ++depth;

trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp

@@ -52 +52 @@
 bool LiteralParser<CharType>::tryJSONPParse(Vector<JSONPData>& results, bool needsFullSourceInfo)
 {
+    VM& vm = m_exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     if (m_lexer.next() != TokIdentifier)
         return false;
@@ -57 +59 @@
         Vector<JSONPPathEntry> path;
         // Unguarded next to start off the lexer
-        Identifier name = Identifier::fromString(&m_exec->vm(), m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
+        Identifier name = Identifier::fromString(&vm, m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
         JSONPPathEntry entry;
-        if (name == m_exec->vm().propertyNames->varKeyword) {
+        if (name == vm.propertyNames->varKeyword) {
             if (m_lexer.next() != TokIdentifier)
                 return false;
             entry.m_type = JSONPPathEntryTypeDeclare;
-            entry.m_pathEntryName = Identifier::fromString(&m_exec->vm(), m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
+            entry.m_pathEntryName = Identifier::fromString(&vm, m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
             path.append(entry);
         } else {
             entry.m_type = JSONPPathEntryTypeDot;
-            entry.m_pathEntryName = Identifier::fromString(&m_exec->vm(), m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
+            entry.m_pathEntryName = Identifier::fromString(&vm, m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
             path.append(entry);
         }
@@ -94 +96 @@
                 if (m_lexer.next() != TokIdentifier)
                     return false;
-                entry.m_pathEntryName = Identifier::fromString(&m_exec->vm(), m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
+                entry.m_pathEntryName = Identifier::fromString(&vm, m_lexer.currentToken()->start, m_lexer.currentToken()->end - m_lexer.currentToken()->start);
                 break;
             }
@@ -113 +115 @@
         m_lexer.next();
         results.append(JSONPData());
-        results.last().m_value.set(m_exec->vm(), parse(StartParseExpression));
+        JSValue startParseExpressionValue = parse(StartParseExpression);
+        RETURN_IF_EXCEPTION(scope, false);
+        results.last().m_value.set(vm, startParseExpressionValue);
         if (!results.last().m_value)
             return false;
@@ -613 +617 @@
                 JSArray* array = asArray(objectStack.last());
                 array->putDirectIndex(m_exec, array->length(), lastValue);
-                
+                RETURN_IF_EXCEPTION(scope, JSValue());
+
                 if (m_lexer.currentToken()->type == TokComma)
                     goto doParseArrayStartExpression;
@@ -700 +705 @@
                         object->putDirect(vm, ident, lastValue);
                 }
+                RETURN_IF_EXCEPTION(scope, JSValue());
                 identifierStack.removeLast();
                 if (m_lexer.currentToken()->type == TokComma)

trunk/Source/JavaScriptCore/runtime/Lookup.h

@@ -291 +291 @@
         JSValue updateThisValue = entry->attributes() & CustomAccessor ? slot.thisValue() : JSValue(base);
         bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+        RETURN_IF_EXCEPTION(scope, false);
         if (isAccessor)
             slot.setCustomAccessor(base, entry->propertyPutter());

trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp

@@ -65 +65 @@
 
     JSValue iterable = exec->argument(0);
-    if (iterable.isUndefinedOrNull())
+    if (iterable.isUndefinedOrNull()) {
+        scope.release();
         return JSValue::encode(JSMap::create(exec, vm, mapStructure));
+    }
 
     if (isJSMap(iterable)) {
         JSMap* iterableMap = jsCast<JSMap*>(iterable);
-        if (iterableMap->canCloneFastAndNonObservable(mapStructure))
+        if (iterableMap->canCloneFastAndNonObservable(mapStructure)) {
+            scope.release();
             return JSValue::encode(iterableMap->clone(exec, vm, mapStructure));
+        }
     }
 

trunk/Source/JavaScriptCore/runtime/NumberPrototype.cpp

@@ -599 +599 @@
 
     int32_t radix = extractRadixFromArgs(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
     if (radix < 2 || radix > 36)
         return throwVMError(exec, scope, createRangeError(exec, ASCIILiteral("toString() radix argument must be between 2 and 36")));
 
+    scope.release();
     return JSValue::encode(numberToStringInternal(vm, doubleValue, radix));
 }

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -189 +189 @@
     bool shouldThrowIfCantSet = true;
     bool didSetPrototype = object->setPrototype(vm, exec, protoValue, shouldThrowIfCantSet);
-    ASSERT_UNUSED(didSetPrototype, scope.exception() || didSetPrototype);
+    EXCEPTION_ASSERT_UNUSED(didSetPrototype, scope.exception() || didSetPrototype);
     return JSValue::encode(objectValue);
 }
@@ -205 +205 @@
 
     JSObject* result = constructObjectFromPropertyDescriptor(exec, descriptor);
-    ASSERT(!!scope.exception() == !result);
+    EXCEPTION_ASSERT(!!scope.exception() == !result);
     if (!result)
         return jsUndefined();
@@ -231 +231 @@
 
         JSObject* fromDescriptor = constructObjectFromPropertyDescriptor(exec, descriptor);
-        ASSERT(!!scope.exception() == !fromDescriptor);
+        EXCEPTION_ASSERT(!!scope.exception() == !fromDescriptor);
         if (!fromDescriptor)
             return jsUndefined();
@@ -323 +323 @@
         auto assign = [&] (PropertyName propertyName) {
             PropertySlot slot(source, PropertySlot::InternalMethodType::GetOwnProperty);
-            if (!source->methodTable(vm)->getOwnPropertySlot(source, exec, propertyName, slot))
+            bool hasProperty = source->methodTable(vm)->getOwnPropertySlot(source, exec, propertyName, slot);
+            RETURN_IF_EXCEPTION(scope, void());
+            if (!hasProperty)
                 return;
             if (slot.attributes() & DontEnum)
@@ -387 +389 @@
     auto addValue = [&] (PropertyName propertyName) {
         PropertySlot slot(target, PropertySlot::InternalMethodType::GetOwnProperty);
-        if (!target->methodTable(vm)->getOwnPropertySlot(target, exec, propertyName, slot))
+        bool hasProperty = target->methodTable(vm)->getOwnPropertySlot(target, exec, propertyName, slot);
+        RETURN_IF_EXCEPTION(scope, void());
+        if (!hasProperty)
             return;
         if (slot.attributes() & DontEnum)
@@ -429 +433 @@
 
     bool hasProperty = description->hasProperty(exec, vm.propertyNames->enumerable);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         JSValue value = description->get(exec, vm.propertyNames->enumerable);
@@ -438 +442 @@
 
     hasProperty = description->hasProperty(exec, vm.propertyNames->configurable);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         JSValue value = description->get(exec, vm.propertyNames->configurable);
@@ -448 +452 @@
     JSValue value;
     hasProperty = description->hasProperty(exec, vm.propertyNames->value);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         JSValue value = description->get(exec, vm.propertyNames->value);
@@ -457 +461 @@
 
     hasProperty = description->hasProperty(exec, vm.propertyNames->writable);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         JSValue value = description->get(exec, vm.propertyNames->writable);
@@ -466 +470 @@
 
     hasProperty = description->hasProperty(exec, vm.propertyNames->get);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         JSValue get = description->get(exec, vm.propertyNames->get);
@@ -482 +486 @@
 
     hasProperty = description->hasProperty(exec, vm.propertyNames->set);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         JSValue set = description->get(exec, vm.propertyNames->set);
@@ -524 +528 @@
     PropertyDescriptor descriptor;
     auto success = toPropertyDescriptor(exec, exec->argument(2), descriptor);
-    ASSERT(!scope.exception() == success);
+    EXCEPTION_ASSERT(!scope.exception() == success);
     if (!success)
         return JSValue::encode(jsNull());
@@ -550 +554 @@
         PropertyDescriptor descriptor;
         bool success = toPropertyDescriptor(exec, prop, descriptor);
-        ASSERT(!scope.exception() || !success);
+        EXCEPTION_ASSERT(!scope.exception() || !success);
         if (UNLIKELY(!success))
             return jsNull();
@@ -583 +587 @@
     JSObject* targetObj = asObject(exec->argument(0));
     JSObject* props = exec->argument(1).toObject(exec);
-    ASSERT(!!scope.exception() == !props);
+    EXCEPTION_ASSERT(!!scope.exception() == !props);
     if (UNLIKELY(!props))
         return encodedJSValue();
@@ -857 +861 @@
             const auto& identifier = properties[i];
             ASSERT(!identifier.isSymbol());
-            if (filterPropertyIfNeeded(identifier))
+            bool hasProperty = filterPropertyIfNeeded(identifier);
+            EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+            if (hasProperty)
                 keys->push(exec, jsOwnedString(exec, identifier.string()));
             RETURN_IF_EXCEPTION(scope, nullptr);
@@ -870 +876 @@
             ASSERT(identifier.isSymbol());
             if (!identifier.isPrivateName()) {
-                if (filterPropertyIfNeeded(identifier))
+                bool hasProperty = filterPropertyIfNeeded(identifier);
+                EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+                if (hasProperty)
                     keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
                 RETURN_IF_EXCEPTION(scope, nullptr);
@@ -886 +894 @@
                 propertySymbols.append(identifier);
             else {
-                if (filterPropertyIfNeeded(identifier))
+                bool hasProperty = filterPropertyIfNeeded(identifier);
+                EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+                if (hasProperty)
                     keys->push(exec, jsOwnedString(exec, identifier.string()));
                 RETURN_IF_EXCEPTION(scope, nullptr);
@@ -894 +904 @@
         // To ensure the order defined in the spec (9.1.12), we append symbols at the last elements of keys.
         for (const auto& identifier : propertySymbols) {
-            if (filterPropertyIfNeeded(identifier))
+            bool hasProperty = filterPropertyIfNeeded(identifier);
+            EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+            if (hasProperty)
                 keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
             RETURN_IF_EXCEPTION(scope, nullptr);

trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp

@@ -98 +98 @@
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
     JSObject* thisObject = thisValue.toObject(exec);
-    ASSERT(!!scope.exception() == !thisObject);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
     if (UNLIKELY(!thisObject))
         return encodedJSValue();
@@ -125 +125 @@
     JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
     JSObject* thisObj = thisValue.toObject(exec);
-    ASSERT(!!scope.exception() == !thisObj);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObj);
     if (UNLIKELY(!thisObj))
         return encodedJSValue();
@@ -214 +214 @@
     PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty);
     bool hasProperty = thisObject->getPropertySlot(exec, propertyName, slot);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         if (slot.isAccessor()) {
@@ -244 +244 @@
     PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty);
     bool hasProperty = thisObject->getPropertySlot(exec, propertyName, slot);
-    ASSERT(!scope.exception() || !hasProperty);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     if (hasProperty) {
         if (slot.isAccessor()) {
@@ -296 +296 @@
     PropertySlot slot(thisValue, PropertySlot::InternalMethodType::Get);
     bool hasProperty = object->getPropertySlot(exec, vm.propertyNames->toString, slot);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
     JSValue toString = hasProperty ? slot.getValue(exec, vm.propertyNames->toString) : jsUndefined();
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
@@ -319 +320 @@
         return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString());
     JSObject* thisObject = thisValue.toObject(exec);
-    ASSERT(!!scope.exception() == !thisObject);
+    EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
     if (!thisObject)
         return JSValue::encode(jsUndefined());

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -395 +395 @@
     v(unsigned, fireExceptionFuzzAt, 0, Normal, nullptr) \
     v(bool, validateDFGExceptionHandling, false, Normal, "Causes the DFG to emit code validating exception handling for each node that can exit") /* This is true by default on Debug builds */\
-    v(bool, dumpSimulatedThrows, false, Normal, "Dumps the call stack at each simulated throw for exception scope verification") \
+    v(bool, dumpSimulatedThrows, false, Normal, "Dumps the call stack of the last simulated throw if exception scope verification fails") \
     v(bool, validateExceptionChecks, false, Normal, "Verifies that needed exception checks are performed.") \
     v(unsigned, unexpectedExceptionStackTraceLimit, 100, Normal, "Stack trace limit for debugging unexpected exceptions observed in the VM") \

trunk/Source/JavaScriptCore/runtime/ParseInt.h

@@ -218 +218 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSString* string = value.toStringOrNull(exec);
+    EXCEPTION_ASSERT(!!scope.exception() == !string);
     if (UNLIKELY(!string))
         return { };
     auto viewWithString = string->viewWithUnderlyingString(exec);
     RETURN_IF_EXCEPTION(scope, { });
+    scope.release();
     return callback(viewWithString.view);
 }

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

@@ -131 +131 @@
         scope.release();
         PropertySlot slot(receiver, PropertySlot::InternalMethodType::Get);
-        if (target->getPropertySlot(exec, propertyName, slot))
+        bool hasProperty = target->getPropertySlot(exec, propertyName, slot);
+        EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+        if (hasProperty) {
+            scope.release();
             return slot.getValue(exec, propertyName);
+        }
         return jsUndefined();
     };
@@ -443 +447 @@
 
     PropertyDescriptor descriptor;
-    if (target->getOwnPropertyDescriptor(exec, propertyName, descriptor)) {
+    bool hasProperty = target->getOwnPropertyDescriptor(exec, propertyName, descriptor);
+    EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
+    if (hasProperty) {
         if (descriptor.isDataDescriptor() && !descriptor.configurable() && !descriptor.writable()) {
             if (!sameValue(exec, descriptor.value(), putValue)) {

trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp

@@ -141 +141 @@
     PropertyDescriptor descriptor;
     bool success = toPropertyDescriptor(exec, exec->argument(2), descriptor);
-    ASSERT(!scope.exception() == success);
+    EXCEPTION_ASSERT(!scope.exception() == success);
     if (UNLIKELY(!success))
         return encodedJSValue();

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

@@ -214 +214 @@
         return NoFlags;
     JSString* flagsString = flags.toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !flagsString);
+    EXCEPTION_ASSERT(!!scope.exception() == !flagsString);
     if (UNLIKELY(!flagsString))
         return InvalidFlags;
@@ -234 +234 @@
 
     RegExpFlags flags = toFlags(exec, flagsArg);
-    ASSERT(!!scope.exception() == (flags == InvalidFlags));
+    EXCEPTION_ASSERT(!!scope.exception() == (flags == InvalidFlags));
     if (UNLIKELY(flags == InvalidFlags))
         return nullptr;
@@ -274 +274 @@
         if (!flagsArg.isUndefined()) {
             RegExpFlags flags = toFlags(exec, flagsArg);
-            ASSERT(!!scope.exception() == (flags == InvalidFlags));
+            EXCEPTION_ASSERT(!!scope.exception() == (flags == InvalidFlags));
             if (flags == InvalidFlags)
                 return nullptr;

trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp

@@ -233 +233 @@
             do {
                 iterate();
-                ASSERT(!!scope.exception() == hasException);
+                EXCEPTION_ASSERT(!!scope.exception() == hasException);
                 if (UNLIKELY(hasException))
                     return { };

trunk/Source/JavaScriptCore/runtime/RegExpObjectInlines.h

@@ -76 +76 @@
     if (globalOrSticky) {
         lastIndex = getRegExpObjectLastIndexAsUnsigned(exec, this, input);
-        ASSERT(!scope.exception() || lastIndex == UINT_MAX);
+        EXCEPTION_ASSERT(!scope.exception() || lastIndex == UINT_MAX);
         if (lastIndex == UINT_MAX)
             return jsNull();
@@ -115 +115 @@
 
     unsigned lastIndex = getRegExpObjectLastIndexAsUnsigned(exec, this, input);
-    ASSERT(!scope.exception() || (lastIndex == UINT_MAX));
+    EXCEPTION_ASSERT(!scope.exception() || (lastIndex == UINT_MAX));
     if (lastIndex == UINT_MAX)
         return MatchResult::failed();

trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp

@@ -108 +108 @@
         return throwVMTypeError(exec, scope);
     JSString* string = exec->argument(0).toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !string);
+    EXCEPTION_ASSERT(!!scope.exception() == !string);
     if (!string)
         return JSValue::encode(jsUndefined());
@@ -124 +124 @@
         return throwVMTypeError(exec, scope, "Builtin RegExp exec can only be called on a RegExp object");
     JSString* string = exec->argument(0).toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !string);
+    EXCEPTION_ASSERT(!!scope.exception() == !string);
     if (!string)
         return JSValue::encode(jsUndefined());
@@ -140 +140 @@
         return throwVMTypeError(exec, scope);
     JSString* string = exec->argument(0).toStringOrNull(exec);
-    ASSERT(!!scope.exception() == !string);
+    EXCEPTION_ASSERT(!!scope.exception() == !string);
     if (!string)
         return encodedJSValue();
@@ -244 +244 @@
 
     StringRecursionChecker checker(exec, thisObject);
-    ASSERT(!scope.exception() || checker.earlyReturnValue());
+    EXCEPTION_ASSERT(!scope.exception() || checker.earlyReturnValue());
     if (JSValue earlyReturnValue = checker.earlyReturnValue())
         return JSValue::encode(earlyReturnValue);
@@ -628 +628 @@
     JSValue limitValue = exec->argument(1);
     unsigned limit = limitValue.isUndefined() ? 0xFFFFFFFFu : limitValue.toUInt32(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     // 14. Let size be the number of elements in S.

trunk/Source/JavaScriptCore/runtime/ScriptExecutable.cpp

@@ -189 +189 @@
             executable, executable->m_unlinkedEvalCodeBlock.get(), scope,
             executable->source().provider());
-        ASSERT(throwScope.exception() || codeBlock);
+        EXCEPTION_ASSERT(throwScope.exception() || codeBlock);
         if (!codeBlock) {
             exception = throwException(
@@ -207 +207 @@
             executable, executable->m_unlinkedProgramCodeBlock.get(), scope,
             executable->source().provider(), startColumn());
-        ASSERT(throwScope.exception() || codeBlock);
+        EXCEPTION_ASSERT(throwScope.exception() || codeBlock);
         if (!codeBlock) {
             exception = throwException(
@@ -225 +225 @@
             executable, executable->m_unlinkedModuleProgramCodeBlock.get(), scope,
             executable->source().provider(), startColumn());
-        ASSERT(throwScope.exception() || codeBlock);
+        EXCEPTION_ASSERT(throwScope.exception() || codeBlock);
         if (!codeBlock) {
             exception = throwException(
@@ -339 +339 @@
     CodeBlock* codeBlock = newCodeBlockFor(kind, function, scope, exception);
     resultCodeBlock = codeBlock;
-    ASSERT(!!throwScope.exception() == !codeBlock);
+    EXCEPTION_ASSERT(!!throwScope.exception() == !codeBlock);
     if (UNLIKELY(!codeBlock))
         return exception;

trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp

@@ -65 +65 @@
 
     JSValue iterable = exec->argument(0);
-    if (iterable.isUndefinedOrNull())
+    if (iterable.isUndefinedOrNull()) {
+        scope.release();
         return JSValue::encode(JSSet::create(exec, vm, setStructure));
+    }
 
     if (isJSSet(iterable)) {
         JSSet* iterableSet = jsCast<JSSet*>(iterable);
-        if (iterableSet->canCloneFastAndNonObservable(setStructure))
+        if (iterableSet->canCloneFastAndNonObservable(setStructure)) {
+            scope.release();
             return JSValue::encode(iterableSet->clone(exec, vm, setStructure));
+        }
     }
 

trunk/Source/JavaScriptCore/runtime/ThrowScope.cpp

@@ -101 +101 @@
     m_vm.m_simulatedThrowPointRecursionDepth = m_recursionDepth;
     m_vm.m_needExceptionCheck = true;
-
-    if (Options::dumpSimulatedThrows()) {
-        dataLog("Simulated throw from this scope: ", m_location, "\n");
-        dataLog("    (ExceptionScope::m_recursionDepth was ", m_recursionDepth, ")\n");
-        WTFReportBacktrace();
-    }
+    if (UNLIKELY(Options::dumpSimulatedThrows()))
+        m_vm.m_nativeStackTraceOfLastSimulatedThrow = StackTrace::captureStackTrace(Options::unexpectedExceptionStackTraceLimit());
 }
 

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -971 +971 @@
             "\n");
 
+        StringPrintStream out;
+        std::unique_ptr<StackTrace> currentTrace = StackTrace::captureStackTrace(Options::unexpectedExceptionStackTraceLimit());
+
+        if (Options::dumpSimulatedThrows()) {
+            out.println("The simulated exception was thrown at:");
+            m_nativeStackTraceOfLastSimulatedThrow->dump(out, "    ");
+            out.println();
+        }
+        out.println("Unchecked exception detected at:");
+        currentTrace->dump(out, "    ");
+        out.println();
+
+        dataLog(out.toCString());
         RELEASE_ASSERT(!m_needExceptionCheck);
     }

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -786 +786 @@
     mutable bool m_needExceptionCheck { false };
     std::unique_ptr<StackTrace> m_nativeStackTraceOfLastThrow;
+    std::unique_ptr<StackTrace> m_nativeStackTraceOfLastSimulatedThrow;
     ThreadIdentifier m_throwingThread;
 #endif

trunk/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp

@@ -106 +106 @@
 
     auto* map = getWeakMap(callFrame, callFrame->thisValue());
-    ASSERT(!!scope.exception() == !map);
+    EXCEPTION_ASSERT(!!scope.exception() == !map);
     if (!map)
         return JSValue::encode(jsUndefined());

trunk/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp

@@ -93 +93 @@
 
     auto* set = getWeakSet(callFrame, callFrame->thisValue());
-    ASSERT(!!scope.exception() == !set);
+    EXCEPTION_ASSERT(!!scope.exception() == !set);
     if (!set)
         return JSValue::encode(jsUndefined());

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp

@@ -184 +184 @@
     RETURN_IF_EXCEPTION(scope, { });
 
+    scope.release();
     return JSWebAssemblyModule::createStub(vm, exec, structure, Wasm::Module::validateSync(vm, WTFMove(source)));
 }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -179 +179 @@
         bool putResult = false;
         symbolTablePutTouchWatchpointSet(moduleEnvironment, exec, Identifier::fromString(&vm, String::fromUTF8(exp.field)), exportedValue, shouldThrowReadOnlyError, ignoreReadOnlyErrors, putResult);
+        scope.assertNoException();
         RELEASE_ASSERT(putResult);
     }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp

@@ -74 +74 @@
     catchScope.clearException();
     promise->reject(exec, exception->value());
+    CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, void());
 }
 
@@ -83 +84 @@
 
     JSPromiseDeferred* promise = JSPromiseDeferred::create(exec, globalObject);
-    RETURN_IF_EXCEPTION(scope, { });
+    CLEAR_AND_RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     Vector<Strong<JSCell>> dependencies;
@@ -99 +100 @@
                 ExecState* exec = globalObject->globalExec();
                 JSValue module = JSWebAssemblyModule::createStub(vm, exec, globalObject->WebAssemblyModuleStructure(), WTFMove(result));
-                if (scope.exception()) {
+                if (UNLIKELY(scope.exception())) {
                     reject(exec, scope, promise);
                     return;
@@ -105 +106 @@
 
                 promise->resolve(exec, module);
+                CLEAR_AND_RETURN_IF_EXCEPTION(scope, void());
             });
         }));
@@ -127 +129 @@
         promise->resolve(exec, result);
     }
+    CLEAR_AND_RETURN_IF_EXCEPTION(scope, void());
 }
 
@@ -182 +185 @@
 
     JSPromiseDeferred* promise = JSPromiseDeferred::create(exec, exec->lexicalGlobalObject());
-    RETURN_IF_EXCEPTION(scope, { });
+    CLEAR_AND_RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
     JSValue importArgument = exec->argument(1);
@@ -189 +192 @@
         promise->reject(exec, createTypeError(exec,
             ASCIILiteral("second argument to WebAssembly.instantiate must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(importArgument)));
+        CLEAR_AND_RETURN_IF_EXCEPTION(scope, encodedJSValue());
         return JSValue::encode(promise->promise());
     }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-09-10  Mark Lam  <mark.lam@apple.com>
+
+        Fix all ExceptionScope verification failures in JavaScriptCore.
+        https://bugs.webkit.org/show_bug.cgi?id=176662
+        <rdar://problem/34352085>
+
+        Reviewed by Filip Pizlo.
+
+        No new tests because this is covered by existing tests with the JSC_validateExceptionChecks=true enabled.
+
+        * bindings/js/JSCustomElementInterface.cpp:
+        (WebCore::JSCustomElementInterface::tryToConstructCustomElement):
+        * bindings/js/JSCustomElementRegistryCustom.cpp:
+        (WebCore::whenDefinedPromise):
+        * bindings/js/JSDOMConvertRecord.h:
+        * bindings/js/JSDOMMapLike.cpp:
+        (WebCore::createBackingMap):
+        * bindings/js/JSDOMPromiseDeferred.cpp:
+        (WebCore::DeferredPromise::callFunction):
+        (WebCore::DeferredPromise::reject):
+        * bindings/js/JSDOMPromiseDeferred.h:
+        (WebCore::callPromiseFunction):
+
 2017-09-10  Frederic Wang  <fwang@igalia.coml>
 

trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp

@@ -105 +105 @@
     auto& state = *document.execState();
     auto element = constructCustomElementSynchronously(document, vm, state, m_constructor.get(), localName);
-    ASSERT(!!scope.exception() == !element);
+    EXCEPTION_ASSERT(!!scope.exception() == !element);
     if (!element) {
         auto* exception = scope.exception();

trunk/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp

@@ -187 +187 @@
 
     if (!validateCustomElementNameAndThrowIfNeeded(state, localName)) {
-        ASSERT(scope.exception());
+        EXCEPTION_ASSERT(scope.exception());
         return jsUndefined();
     }

trunk/Source/WebCore/bindings/js/JSDOMConvertRecord.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -106 +106 @@
                 // 1. Let typedKey be key converted to an IDL value of type K.
                 auto typedKey = Detail::IdentifierConverter<K>::convert(state, key);
+                RETURN_IF_EXCEPTION(scope, { });
 
                 // 2. Let value be ? Get(O, key).

trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp

@@ -28 +28 @@
 
 #include "WebCoreJSClientData.h"
+#include <runtime/CatchScope.h>
 
 namespace WebCore {
@@ -46 +47 @@
 {
     auto& vm = state.vm();
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     ASSERT(mapLike.get(&state, static_cast<JSVMClientData*>(vm.clientData)->builtinNames().backingMapPrivateName()).isUndefined());
     auto backingMap = JSC::JSMap::create(&state, vm, globalObject.mapStructure());
+    scope.releaseAssertNoException();
     mapLike.putDirect(vm, static_cast<JSVMClientData*>(vm.clientData)->builtinNames().backingMapPrivateName(), backingMap, JSC::DontEnum);
     return *backingMap;

trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp

@@ -64 +64 @@
     // DeferredPromise should only be used by internal implementations that are well behaved.
     // In practice, the only exception we should ever see here is the TerminatedExecutionException.
-    ASSERT_UNUSED(scope, !scope.exception() || isTerminatedExecutionException(vm, scope.exception()));
+    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception() || isTerminatedExecutionException(vm, scope.exception()));
 
     if (m_mode == Mode::ClearPromiseOnResolve)
@@ -107 +107 @@
         auto scope = DECLARE_CATCH_SCOPE(state.vm());
 
-        ASSERT(scope.exception());
+        EXCEPTION_ASSERT(scope.exception());
 
         auto error = scope.exception()->value();
@@ -139 +139 @@
         auto scope = DECLARE_CATCH_SCOPE(state.vm());
 
-        ASSERT(scope.exception());
+        EXCEPTION_ASSERT(scope.exception());
 
         auto error = scope.exception()->value();

trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h

@@ -275 +275 @@
 
     rejectPromiseWithExceptionIfAny(state, globalObject, *promiseDeferred);
-    ASSERT_UNUSED(scope, !scope.exception());
+    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
     return promiseDeferred->promise();
 }
@@ -295 +295 @@
 
     rejectPromiseWithExceptionIfAny(state, globalObject, *promiseDeferred);
-    ASSERT_UNUSED(scope, !scope.exception());
+    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
     return promiseDeferred->promise();
 }