Context Navigation

← Previous Changeset
Next Changeset →

Changeset 276000 in webkit

Timestamp:

Apr 14, 2021 10:53:38 PM (3 years ago)

Author:

mark.lam@apple.com

Message:

Add missing exception check in operationGetPrivateNameOptimize().
https://bugs.webkit.org/show_bug.cgi?id=224592
rdar://76645873

Reviewed by Yusuke Suzuki.

JSTests:

stress/suppress-TerminationException-in-operationGetPrivateNameOptimize.js: Added.

Source/JavaScriptCore:

Though the fieldNameValue.toPropertyKey() call in operationGetPrivateNameOptimize()
would not normally throw an exception, it still can throw a TerminationException
because it contains RETURN_IF_EXCEPTION checks.

jit/JITOperations.cpp:

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/suppress-TerminationException-in-operationGetPrivateNameOptimize.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r275969
+                      r276000
+-04-14  Mark Lam  <mark.lam@apple.com>
+        Add missing exception check in operationGetPrivateNameOptimize().
+        https://bugs.webkit.org/show_bug.cgi?id=224592
+        rdar://76645873
+        Reviewed by Yusuke Suzuki.
+        * stress/suppress-TerminationException-in-operationGetPrivateNameOptimize.js: Added.
 -04-14  Mark Lam  <mark.lam@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r275995
+                      r276000
+-04-14  Mark Lam  <mark.lam@apple.com>
+        Add missing exception check in operationGetPrivateNameOptimize().
+        https://bugs.webkit.org/show_bug.cgi?id=224592
+        rdar://76645873
+        Reviewed by Yusuke Suzuki.
+        Though the fieldNameValue.toPropertyKey() call in operationGetPrivateNameOptimize()
+        would not normally throw an exception, it still can throw a TerminationException
+        because it contains RETURN_IF_EXCEPTION checks.
+        * jit/JITOperations.cpp:
 -04-14  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

-                      r275995
+                      r276000
     if (baseValue.isObject()) {
         const Identifier fieldName = fieldNameValue.toPropertyKey(globalObject);
+        EXCEPTION_ASSERT(!scope.exception());
+        EXCEPTION_ASSERT(!scope.exception() || vm.isTerminationException(scope.exception()));
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
         ASSERT(fieldName.isSymbol());

Note: See TracChangeset for help on using the changeset viewer.