Changeset 196300 in webkit

Timestamp:

Feb 8, 2016 7:31:11 PM (8 years ago)

Author:

sbarati@apple.com

Message:

runtimeTypeForValue should protect against seeing TDZ value
​https://bugs.webkit.org/show_bug.cgi?id=154023

Reviewed by Michael Saboff.

There are a few back traces I've seen from crashes that bottom out
inside runtimeTypeForValue. I haven't been able to reproduce
any such crash, but it's likely that we're encountering the
empty JSValue. It's better to just have this function protect
against seeing the empty value instead of dereferencing a null
pointer when it thinks the value is a cell.

• runtime/RuntimeType.cpp:

(JSC::runtimeTypeForValue):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/RuntimeType.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-02-08  Saam Barati  <sbarati@apple.com>
+
+        runtimeTypeForValue should protect against seeing TDZ value
+        https://bugs.webkit.org/show_bug.cgi?id=154023
+
+        Reviewed by Michael Saboff.
+
+        There are a few back traces I've seen from crashes that bottom out
+        inside runtimeTypeForValue. I haven't been able to reproduce
+        any such crash, but it's likely that we're encountering the
+        empty JSValue. It's better to just have this function protect
+        against seeing the empty value instead of dereferencing a null
+        pointer when it thinks the value is a cell.
+
+        * runtime/RuntimeType.cpp:
+        (JSC::runtimeTypeForValue):
+
 2016-02-08  Andreas Kling  <akling@apple.com>
 

trunk/Source/JavaScriptCore/runtime/RuntimeType.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  * Copyright (C) Saam Barati <saambarati1@gmail.com>. All rights reserved.
  *
@@ -36 +36 @@
 RuntimeType runtimeTypeForValue(JSValue value)
 {
+    if (UNLIKELY(!value))
+        return TypeNothing;
+
     if (value.isUndefined())
         return TypeUndefined;