Changeset 208913 in webkit
- Timestamp:
- Nov 18, 2016, 5:46:01 PM (9 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGOperations.cpp (modified) (25 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r208912 r208913 1 2016-11-18 Mark Lam <mark.lam@apple.com> 2 3 Fix missing exception checks in DFGOperations.cpp. 4 https://bugs.webkit.org/show_bug.cgi?id=164958 5 6 Reviewed by Geoffrey Garen. 7 8 * dfg/DFGOperations.cpp: 9 1 10 2016-11-18 Mark Lam <mark.lam@apple.com> 2 11 -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r208720 r208913 111 111 // Despite its name, JSValue::isUInt32 will return true only for positive boxed int32_t; all those values are valid array indices. 112 112 ASSERT(isIndex(property.asUInt32())); 113 scope.release(); 113 114 putByVal<strict, direct>(exec, baseValue, property.asUInt32(), value); 114 115 return; … … 119 120 uint32_t propertyAsUInt32 = static_cast<uint32_t>(propertyAsDouble); 120 121 if (propertyAsDouble == propertyAsUInt32 && isIndex(propertyAsUInt32)) { 122 scope.release(); 121 123 putByVal<strict, direct>(exec, baseValue, propertyAsUInt32, value); 122 124 return; … … 131 133 if (direct) { 132 134 RELEASE_ASSERT(baseValue.isObject()); 133 if (Optional<uint32_t> index = parseIndex(propertyName)) 135 if (Optional<uint32_t> index = parseIndex(propertyName)) { 136 scope.release(); 134 137 asObject(baseValue)->putDirectIndex(exec, index.value(), value, 0, strict ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow); 135 else 136 asObject(baseValue)->putDirect(*vm, propertyName, value, slot); 137 } else 138 baseValue.put(exec, propertyName, value, slot); 138 return; 139 } 140 asObject(baseValue)->putDirect(*vm, propertyName, value, slot); 141 return; 142 } 143 scope.release(); 144 baseValue.put(exec, propertyName, value, slot); 139 145 } 140 146 … … 153 159 if (vector) 154 160 return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, vector)); 155 161 162 scope.release(); 156 163 return bitwise_cast<char*>(ViewClass::create(exec, structure, size)); 157 164 } … … 190 197 NativeCallFrameTracer tracer(&vm, exec); 191 198 auto scope = DECLARE_THROW_SCOPE(vm); 192 if (constructor->type() == JSFunctionType) 193 return constructEmptyObject(exec, jsCast<JSFunction*>(constructor)->rareData(exec, inlineCapacity)->objectAllocationProfile()->structure()); 199 if (constructor->type() == JSFunctionType) { 200 auto rareData = jsCast<JSFunction*>(constructor)->rareData(exec, inlineCapacity); 201 RETURN_IF_EXCEPTION(scope, nullptr); 202 return constructEmptyObject(exec, rareData->objectAllocationProfile()->structure()); 203 } 194 204 195 205 JSValue proto = constructor->get(exec, exec->propertyNames().prototype); … … 224 234 int32_t a = op1.toInt32(exec); 225 235 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 236 scope.release(); 226 237 int32_t b = op2.toInt32(exec); 227 238 return JSValue::encode(jsNumber(a & b)); … … 239 250 int32_t a = op1.toInt32(exec); 240 251 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 252 scope.release(); 241 253 int32_t b = op2.toInt32(exec); 242 254 return JSValue::encode(jsNumber(a | b)); … … 254 266 int32_t a = op1.toInt32(exec); 255 267 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 268 scope.release(); 256 269 int32_t b = op2.toInt32(exec); 257 270 return JSValue::encode(jsNumber(a ^ b)); … … 269 282 int32_t a = op1.toInt32(exec); 270 283 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 284 scope.release(); 271 285 uint32_t b = op2.toUInt32(exec); 272 286 return JSValue::encode(jsNumber(a << (b & 0x1f))); … … 284 298 int32_t a = op1.toInt32(exec); 285 299 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 300 scope.release(); 286 301 uint32_t b = op2.toUInt32(exec); 287 302 return JSValue::encode(jsNumber(a >> (b & 0x1f))); … … 299 314 uint32_t a = op1.toUInt32(exec); 300 315 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 316 scope.release(); 301 317 uint32_t b = op2.toUInt32(exec); 302 318 return JSValue::encode(jsNumber(static_cast<int32_t>(a >> (b & 0x1f)))); … … 330 346 double a = op1.toNumber(exec); 331 347 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 348 scope.release(); 332 349 double b = op2.toNumber(exec); 333 350 return JSValue::encode(jsNumber(a / b)); … … 507 524 JSCell* base = baseValue.asCell(); 508 525 509 if (property.isUInt32()) 526 if (property.isUInt32()) { 527 scope.release(); 510 528 return getByVal(exec, base, property.asUInt32()); 511 else if (property.isDouble()) { 529 } 530 if (property.isDouble()) { 512 531 double propertyAsDouble = property.asDouble(); 513 532 uint32_t propertyAsUInt32 = static_cast<uint32_t>(propertyAsDouble); 514 if (propertyAsUInt32 == propertyAsDouble && isIndex(propertyAsUInt32)) 533 if (propertyAsUInt32 == propertyAsDouble && isIndex(propertyAsUInt32)) { 534 scope.release(); 515 535 return getByVal(exec, base, propertyAsUInt32); 536 } 516 537 } else if (property.isString()) { 517 538 Structure& structure = *base->structure(vm); … … 529 550 auto propertyName = property.toPropertyKey(exec); 530 551 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 552 scope.release(); 531 553 return JSValue::encode(baseValue.get(exec, propertyName)); 532 554 } … … 955 977 return JSValue::encode(asString(baseValue)->getIndex(exec, i)); 956 978 979 scope.release(); 957 980 return JSValue::encode(baseValue.get(exec, i, slot)); 958 981 } … … 963 986 auto property = subscript.toPropertyKey(exec); 964 987 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 988 scope.release(); 965 989 return JSValue::encode(baseValue.get(exec, property, slot)); 966 990 } … … 990 1014 Identifier property = JSValue::decode(encodedSubscript).toPropertyKey(exec); 991 1015 RETURN_IF_EXCEPTION(scope, void()); 1016 scope.release(); 992 1017 putWithThis<true>(exec, encodedBase, encodedThis, encodedValue, property); 993 1018 } … … 1001 1026 Identifier property = JSValue::decode(encodedSubscript).toPropertyKey(exec); 1002 1027 RETURN_IF_EXCEPTION(scope, void()); 1028 scope.release(); 1003 1029 putWithThis<false>(exec, encodedBase, encodedThis, encodedValue, property); 1004 1030 } … … 1022 1048 Identifier propertyName = JSValue::decode(encodedProperty).toPropertyKey(exec); 1023 1049 RETURN_IF_EXCEPTION(scope, void()); 1050 scope.release(); 1024 1051 defineDataProperty(exec, vm, base, propertyName, JSValue::decode(encodedValue), attributes); 1025 1052 } … … 1033 1060 Identifier propertyName = property->toIdentifier(exec); 1034 1061 RETURN_IF_EXCEPTION(scope, void()); 1062 scope.release(); 1035 1063 defineDataProperty(exec, vm, base, propertyName, JSValue::decode(encodedValue), attributes); 1036 1064 } … … 1944 1972 if (isJSArray(iterable) && globalObject->isArrayIteratorProtocolFastAndNonObservable()) { 1945 1973 JSArray* array = jsCast<JSArray*>(iterable); 1974 throwScope.release(); 1946 1975 return JSFixedArray::createFromArray(exec, vm, array); 1947 1976 } … … 1964 1993 } 1965 1994 1995 throwScope.release(); 1966 1996 return JSFixedArray::createFromArray(exec, vm, array); 1967 1997 } … … 2041 2071 2042 2072 Identifier ident = Identifier::fromUid(exec, impl); 2073 throwScope.release(); 2043 2074 return JSValue::encode(scope->getPropertySlot(exec, ident, [&] (bool found, PropertySlot& slot) -> JSValue { 2044 2075 if (!found) { … … 2072 2103 GetPutInfo getPutInfo(getPutInfoBits); 2073 2104 bool hasProperty = scope->hasProperty(exec, ident); 2105 RETURN_IF_EXCEPTION(throwScope, void()); 2074 2106 if (hasProperty 2075 2107 && scope->isGlobalLexicalEnvironment() … … 2096 2128 strictMode = exec->codeBlock()->isStrictMode(); 2097 2129 PutPropertySlot slot(scope, strictMode, PutPropertySlot::UnknownContext, isInitialization(getPutInfo.initializationMode())); 2130 throwScope.release(); 2098 2131 scope->methodTable()->put(scope, exec, ident, JSValue::decode(value), slot); 2099 2132 }
Note:
See TracChangeset
for help on using the changeset viewer.
