Changeset 252767 in webkit

Timestamp:

Nov 22, 2019, 3:32:43 AM (6 years ago)

Author:

mark.lam@apple.com

Message:

Fix missing exception check in replaceUsingStringSearch().
​https://bugs.webkit.org/show_bug.cgi?id=204496

Reviewed by Yusuke Suzuki.

The CachedCall constructor can throw OutOfMemory or StackOverflow errors.
This was caught by existing JSC stress tests when we run with a debug build.

Also placate the exception check validator in $vm's functionCallWithStackSize().

• runtime/StringPrototype.cpp:

(JSC::replaceUsingStringSearch):

• tools/JSDollarVM.cpp:

(JSC::functionCallWithStackSize):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/StringPrototype.cpp (modified) (1 diff)
• tools/JSDollarVM.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-11-22  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception check in replaceUsingStringSearch().
+        https://bugs.webkit.org/show_bug.cgi?id=204496
+
+        Reviewed by Yusuke Suzuki.
+
+        The CachedCall constructor can throw OutOfMemory or StackOverflow errors.
+        This was caught by existing JSC stress tests when we run with a debug build.
+
+        Also placate the exception check validator in $vm's functionCallWithStackSize().
+
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingStringSearch):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCallWithStackSize):
+
 2019-11-21  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -796 +796 @@
     } else if (callType == CallType::JS) {
         cachedCall.emplace(globalObject, callFrame, jsCast<JSFunction*>(replaceValue), 3);
+        RETURN_IF_EXCEPTION(scope, nullptr);
         cachedCall->setThis(jsUndefined());
     }

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -2103 +2103 @@
     RELEASE_ASSERT(vm.stackLimit() == originalVMStackLimit);
 
+    throwScope.release();
     return encodedJSUndefined();