Changeset 260343 in webkit

Timestamp:

Apr 19, 2020 2:18:07 PM (4 years ago)

Author:

mark.lam@apple.com

Message:

Fix missing exception checks and handling in JSC APIs.
​https://bugs.webkit.org/show_bug.cgi?id=210715
<rdar://problem/61599658>

Reviewed by Saam Barati.

• API/APICallbackFunction.h:

(JSC::APICallbackFunction::call):

• We should return early if an exception was thrown. We should not be using the result in any way since we cannot rely on it having any sane value.

(JSC::APICallbackFunction::construct):

• For consistency, also return an undefined here when an exception was thrown.

• API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::construct):
(JSC::JSCallbackObject<Parent>::call):

• Return an undefined if an exception was thrown. Don't return the potentially garbage result value. Who knows what the client code will do with it. Returning an undefined here makes the code more robust.

• API/JSObjectRef.cpp:

(JSObjectGetProperty):
(JSObjectHasPropertyForKey):
(JSObjectGetPropertyForKey):
(JSObjectDeletePropertyForKey):
(JSObjectGetPropertyAtIndex):
(JSObjectDeleteProperty):

• Explicitly return a nullptr if an exception was thrown. The toRef() on the result that follows the exception check may or may not return a nullptr (also see toRef(JSC::VM& vm, JSC::JSValue v) for !CPU(ADDRESS64)).

• API/JSValueRef.cpp:

(JSValueIsEqual):
(JSValueIsInstanceOfConstructor):

• For consistency, make these return false if an exception is thrown.

• API/ObjCCallbackFunction.mm:

(JSC::objCCallbackFunctionCallAsFunction):
(JSC::objCCallbackFunctionCallAsConstructor):
(JSC::ObjCCallbackFunctionImpl::call):

• Add some assertions and return early if an exception was thrown.

Location:

trunk/Source/JavaScriptCore

Files:

• API/APICallbackFunction.h (modified) (3 diffs)
• API/JSCallbackObjectFunctions.h (modified) (2 diffs)
• API/JSObjectRef.cpp (modified) (8 diffs)
• API/JSValueRef.cpp (modified) (3 diffs)
• API/ObjCCallbackFunction.mm (modified) (19 diffs)
• ChangeLog (modified) (1 diff)

trunk/Source/JavaScriptCore/API/APICallbackFunction.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -63 +63 @@
         result = jsCast<T*>(toJS(functionRef))->functionCallback()(execRef, functionRef, thisObjRef, argumentCount, arguments.data(), &exception);
     }
-    if (exception)
+    if (exception) {
         throwException(globalObject, scope, toJS(globalObject, exception));
+        return JSValue::encode(jsUndefined());
+    }
 
     // result must be a valid JSValue.
@@ -98 +100 @@
         if (exception) {
             throwException(globalObject, scope, toJS(globalObject, exception));
-            return JSValue::encode(toJS(globalObject, exception));
+            return JSValue::encode(jsUndefined());
         }
         // result must be a valid JSValue.

trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -466 +466 @@
                 result = toJS(callAsConstructor(execRef, constructorRef, argumentCount, arguments.data(), &exception));
             }
-            if (exception)
+            if (exception) {
                 throwException(globalObject, scope, toJS(globalObject, exception));
+                return JSValue::encode(jsUndefined());
+            }
             return JSValue::encode(result);
         }
@@ -539 +541 @@
                 result = toJS(globalObject, callAsFunction(execRef, functionRef, thisObjRef, argumentCount, arguments.data(), &exception));
             }
-            if (exception)
+            if (exception) {
                 throwException(globalObject, scope, toJS(globalObject, exception));
+                return JSValue::encode(jsUndefined());
+            }
             return JSValue::encode(result);
         }

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -349 +349 @@
     if (!ctx || !object) {
         ASSERT_NOT_REACHED();
-        return 0;
+        return nullptr;
     }
     JSGlobalObject* globalObject = toJS(ctx);
@@ -359 +359 @@
 
     JSValue jsValue = jsObject->get(globalObject, propertyName->identifier(&vm));
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return nullptr;
     return toRef(globalObject, jsValue);
 }
@@ -408 +409 @@
 
     bool result = jsObject->hasProperty(globalObject, ident);
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return false;
     return result;
 }
@@ -429 +431 @@
 
     JSValue jsValue = jsObject->get(globalObject, ident);
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return nullptr;
     return toRef(globalObject, jsValue);
 }
@@ -481 +484 @@
 
     bool result = JSCell::deleteProperty(jsObject, globalObject, ident);
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return false;
     return result;
 }
@@ -489 +493 @@
     if (!ctx) {
         ASSERT_NOT_REACHED();
-        return 0;
+        return nullptr;
     }
     JSGlobalObject* globalObject = toJS(ctx);
@@ -499 +503 @@
 
     JSValue jsValue = jsObject->get(globalObject, propertyIndex);
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return nullptr;
     return toRef(globalObject, jsValue);
 }
@@ -536 +541 @@
 
     bool result = JSCell::deleteProperty(jsObject, globalObject, propertyName->identifier(&vm));
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return false;
     return result;
 }

trunk/Source/JavaScriptCore/API/JSValueRef.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -236 +236 @@
 
     bool result = JSValue::equal(globalObject, jsA, jsB); // false if an exception is thrown
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return false;
     
     return result;
@@ -273 +274 @@
         return false;
     bool result = jsConstructor->hasInstance(globalObject, jsValue); // false if an exception is thrown
-    handleExceptionIfNeeded(scope, ctx, exception);
+    if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow)
+        return false;
     return result;
 }

trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -68 +68 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         T value = (T)JSC::toInt32(JSValueToNumber([context JSGlobalContextRef], argument, exception));
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -77 +80 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         T value = (T)JSValueToNumber([context JSGlobalContextRef], argument, exception);
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -108 +114 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         JSGlobalContextRef contextRef = [context JSGlobalContextRef];
 
@@ -131 +138 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         id value = valueToNumber([context JSGlobalContextRef], argument, exception);
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -139 +149 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         id value = valueToString([context JSGlobalContextRef], argument, exception);
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -147 +160 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         id value = valueToDate([context JSGlobalContextRef], argument, exception);
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -155 +171 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         id value = valueToArray([context JSGlobalContextRef], argument, exception);
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -163 +182 @@
     void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override
     {
+        ASSERT(exception && !*exception);
         id value = valueToDictionary([context JSGlobalContextRef], argument, exception);
+        if (*exception)
+            return;
         [invocation setArgument:&value atIndex:argumentNumber];
     }
@@ -448 +470 @@
 static JSValueRef objCCallbackFunctionCallAsFunction(JSContextRef callerContext, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
+    ASSERT(exception && !*exception);
+
     // Retake the API lock - we need this for a few reasons:
     // (1) We don't want to support the C-API's confusing drops-locks-once policy - should only drop locks if we can do so recursively.
@@ -461 +485 @@
         JSGlobalContextRef contextRef = [context JSGlobalContextRef];
         *exception = toRef(JSC::createTypeError(toJS(contextRef), "Cannot call a class constructor without |new|"_s));
+        if (*exception)
+            return nullptr;
         return JSValueMakeUndefined(contextRef);
     }
@@ -473 +499 @@
         [context endCallbackWithData:&callbackData];
     }
+    if (*exception)
+        return nullptr;
     return result;
 }
@@ -478 +506 @@
 static JSObjectRef objCCallbackFunctionCallAsConstructor(JSContextRef callerContext, JSObjectRef constructor, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
+    ASSERT(exception && !*exception);
     JSC::JSLockHolder locker(toJS(callerContext));
 
@@ -493 +522 @@
         [context endCallbackWithData:&callbackData];
     }
+    if (*exception)
+        return nullptr;
 
     JSGlobalContextRef contextRef = [context JSGlobalContextRef];
-    if (*exception)
-        return nullptr;
-
     if (!JSValueIsObject(contextRef, result)) {
         *exception = toRef(JSC::createTypeError(toJS(contextRef), "Objective-C blocks called as constructors must return an object."_s));
         return nullptr;
     }
+    ASSERT(!*exception);
     return const_cast<JSObjectRef>(result);
 }
@@ -541 +570 @@
 JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
+    ASSERT(exception && !*exception);
     JSGlobalContextRef contextRef = [context JSGlobalContextRef];
 
@@ -551 +581 @@
         if (!target || ![target isKindOfClass:m_instanceClass.get()]) {
             *exception = toRef(JSC::createTypeError(toJS(contextRef), "self type check failed for Objective-C instance method"_s));
+            if (*exception)
+                return nullptr;
             return JSValueMakeUndefined(contextRef);
         }
@@ -561 +593 @@
         if (!target || ![target isKindOfClass:m_instanceClass.get()]) {
             *exception = toRef(JSC::createTypeError(toJS(contextRef), "self type check failed for Objective-C instance method"_s));
+            if (*exception)
+                return nullptr;
             return JSValueMakeUndefined(contextRef);
         }
@@ -579 +613 @@
         argument->set(m_invocation.get(), argumentNumber + firstArgument, context, value, exception);
         if (*exception)
-            return JSValueMakeUndefined(contextRef);
+            return nullptr;
         ++argumentNumber;
     }
@@ -586 +620 @@
 
     JSValueRef result = m_result->get(m_invocation.get(), context, exception);
+    if (*exception)
+        return nullptr;
 
     // Balance our call to -alloc with a call to -autorelease. We have to do this after calling -init

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-19  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception checks and handling in JSC APIs.
+        https://bugs.webkit.org/show_bug.cgi?id=210715
+        <rdar://problem/61599658>
+
+        Reviewed by Saam Barati.
+
+        * API/APICallbackFunction.h:
+        (JSC::APICallbackFunction::call):
+        - We should return early if an exception was thrown.  We should not be using the
+          result in any way since we cannot rely on it having any sane value.
+        (JSC::APICallbackFunction::construct):
+        - For consistency, also return an undefined here when an exception was thrown.
+
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::construct):
+        (JSC::JSCallbackObject<Parent>::call):
+        - Return an undefined if an exception was thrown.  Don't return the potentially
+          garbage result value.  Who knows what the client code will do with it.  Returning
+          an undefined here makes the code more robust.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectGetProperty):
+        (JSObjectHasPropertyForKey):
+        (JSObjectGetPropertyForKey):
+        (JSObjectDeletePropertyForKey):
+        (JSObjectGetPropertyAtIndex):
+        (JSObjectDeleteProperty):
+        - Explicitly return a nullptr if an exception was thrown.  The toRef() on the
+          result that follows the exception check may or may not return a nullptr
+          (also see toRef(JSC::VM& vm, JSC::JSValue v) for !CPU(ADDRESS64)).
+
+        * API/JSValueRef.cpp:
+        (JSValueIsEqual):
+        (JSValueIsInstanceOfConstructor):
+        - For consistency, make these return false if an exception is thrown.
+
+        * API/ObjCCallbackFunction.mm:
+        (JSC::objCCallbackFunctionCallAsFunction):
+        (JSC::objCCallbackFunctionCallAsConstructor):
+        (JSC::ObjCCallbackFunctionImpl::call):
+        - Add some assertions and return early if an exception was thrown.
+
 2020-04-18  Keith Miller  <keith_miller@apple.com>