Changeset 204485 in webkit
- Timestamp:
- Aug 15, 2016 2:52:22 PM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 1 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r204484 r204485 1 2016-08-15 Mark Lam <mark.lam@apple.com> 2 3 Make JSValue::strictEqual() handle failures to resolve JSRopeStrings. 4 https://bugs.webkit.org/show_bug.cgi?id=160832 5 <rdar://problem/27577556> 6 7 Reviewed by Geoffrey Garen. 8 9 Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to 10 access the StringImpl of a JSRopeString that fails to resolve its rope. As a 11 result, we'll crash with null pointer dereferences. 12 13 We can fix this by introducing a JSString::equal() method that will do the 14 equality comparison, but is aware of the potential failures to resolve ropes. 15 JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal() 16 instead of accessing the underlying StringImpl directly. 17 18 Also added some exception checks. 19 20 * JavaScriptCore.xcodeproj/project.pbxproj: 21 * jit/JITOperations.cpp: 22 * runtime/ArrayPrototype.cpp: 23 (JSC::arrayProtoFuncIndexOf): 24 (JSC::arrayProtoFuncLastIndexOf): 25 * runtime/JSCJSValueInlines.h: 26 (JSC::JSValue::equalSlowCaseInline): 27 (JSC::JSValue::strictEqualSlowCaseInline): 28 * runtime/JSString.cpp: 29 (JSC::JSString::equalSlowCase): 30 * runtime/JSString.h: 31 * runtime/JSStringInlines.h: Added. 32 (JSC::JSString::equal): 33 1 34 2016-08-15 Keith Miller <keith_miller@apple.com> 2 35 -
trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
r204484 r204485 963 963 0FFFC95F14EF90BB00C72532 /* DFGVirtualRegisterAllocationPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FFFC95314EF909500C72532 /* DFGVirtualRegisterAllocationPhase.cpp */; }; 964 964 0FFFC96014EF90BD00C72532 /* DFGVirtualRegisterAllocationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFFC95414EF909500C72532 /* DFGVirtualRegisterAllocationPhase.h */; }; 965 13FECE06D3B445FCB6C93461 /* JSModuleLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1879510614C540FFB561C124 /* JSModuleLoader.cpp */; }; 965 966 140566C4107EC255005DBC8D /* JSAPIValueWrapper.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BC0894D50FAFBA2D00001865 /* JSAPIValueWrapper.cpp */; }; 966 967 140566D6107EC271005DBC8D /* JSFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F692A85E0255597D01FF60F7 /* JSFunction.cpp */; }; … … 2000 2001 C4F4B6F51A05C984005CAB76 /* generate_objc_protocol_types_implementation.py in Headers */ = {isa = PBXBuildFile; fileRef = C4F4B6D71A05C76F005CAB76 /* generate_objc_protocol_types_implementation.py */; settings = {ATTRIBUTES = (Private, ); }; }; 2001 2002 C4F4B6F61A05C984005CAB76 /* objc_generator_templates.py in Headers */ = {isa = PBXBuildFile; fileRef = C4F4B6D81A05C76F005CAB76 /* objc_generator_templates.py */; settings = {ATTRIBUTES = (Private, ); }; }; 2003 D9722752DC54459B9125B539 /* JSModuleLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */; }; 2002 2004 DC00039319D8BE6F00023EB0 /* DFGPreciseLocalClobberize.h in Headers */ = {isa = PBXBuildFile; fileRef = DC00039019D8BE6F00023EB0 /* DFGPreciseLocalClobberize.h */; }; 2003 2005 DC0184191D10C1890057B053 /* JITWorklist.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0184181D10C1870057B053 /* JITWorklist.h */; }; … … 2142 2144 FED94F2F171E3E2300BE77A4 /* Watchdog.h in Headers */ = {isa = PBXBuildFile; fileRef = FED94F2C171E3E2300BE77A4 /* Watchdog.h */; settings = {ATTRIBUTES = (Private, ); }; }; 2143 2145 FEF040511AAE662D00BD28B0 /* CompareAndSwapTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEF040501AAE662D00BD28B0 /* CompareAndSwapTest.cpp */; }; 2144 D9722752DC54459B9125B539 /* JSModuleLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */; }; 2145 13FECE06D3B445FCB6C93461 /* JSModuleLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1879510614C540FFB561C124 /* JSModuleLoader.cpp */; }; 2146 FEFD6FC61D5E7992008F2F0B /* JSStringInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */; settings = {ATTRIBUTES = (Private, ); }; }; 2146 2147 /* End PBXBuildFile section */ 2147 2148 … … 3287 3288 14F7256414EE265E00B1652B /* WeakHandleOwner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WeakHandleOwner.h; sourceTree = "<group>"; }; 3288 3289 14F97446138C853E00DA1C67 /* HeapRootVisitor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapRootVisitor.h; sourceTree = "<group>"; }; 3290 1879510614C540FFB561C124 /* JSModuleLoader.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSModuleLoader.cpp; sourceTree = "<group>"; }; 3289 3291 1A28D4A7177B71C80007FA3C /* JSStringRefPrivate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringRefPrivate.h; sourceTree = "<group>"; }; 3290 3292 1ACF7376171CA6FB00C9BB1E /* Weak.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Weak.cpp; sourceTree = "<group>"; }; … … 3523 3525 72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCustomGetterSetterFunction.cpp; sourceTree = "<group>"; }; 3524 3526 72AAF7CC1D0D318B005E60BE /* JSCustomGetterSetterFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCustomGetterSetterFunction.h; sourceTree = "<group>"; }; 3527 77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSModuleLoader.h; sourceTree = "<group>"; }; 3525 3528 7905BB661D12050E0019FE57 /* InlineAccess.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InlineAccess.cpp; sourceTree = "<group>"; }; 3526 3529 7905BB671D12050E0019FE57 /* InlineAccess.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InlineAccess.h; sourceTree = "<group>"; }; … … 4447 4450 FEF040501AAE662D00BD28B0 /* CompareAndSwapTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = CompareAndSwapTest.cpp; path = API/tests/CompareAndSwapTest.cpp; sourceTree = "<group>"; }; 4448 4451 FEF040521AAEC4ED00BD28B0 /* CompareAndSwapTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CompareAndSwapTest.h; path = API/tests/CompareAndSwapTest.h; sourceTree = "<group>"; }; 4449 77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSModuleLoader.h; path = JSModuleLoader.h; sourceTree = "<group>"; }; 4450 1879510614C540FFB561C124 /* JSModuleLoader.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSModuleLoader.cpp; path = JSModuleLoader.cpp; sourceTree = "<group>"; }; 4452 FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringInlines.h; sourceTree = "<group>"; }; 4451 4453 /* End PBXFileReference section */ 4452 4454 … … 5932 5934 F692A8620255597D01FF60F7 /* JSString.h */, 5933 5935 86E85538111B9968001AF51E /* JSStringBuilder.h */, 5936 FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */, 5934 5937 70EC0EBC1AA0D7DA00B6AAFA /* JSStringIterator.cpp */, 5935 5938 70EC0EBD1AA0D7DA00B6AAFA /* JSStringIterator.h */, … … 8045 8048 ADDB1F6318D77DBE009B58A8 /* OpaqueRootSet.h in Headers */, 8046 8049 969A079B0ED1D3AE00F1F681 /* Opcode.h in Headers */, 8050 FEFD6FC61D5E7992008F2F0B /* JSStringInlines.h in Headers */, 8047 8051 0F2BDC2C151FDE9100CD8910 /* Operands.h in Headers */, 8048 8052 A70447EA17A0BD4600F5898E /* OperandsInlines.h in Headers */, -
trunk/Source/JavaScriptCore/jit/JITOperations.cpp
r204470 r204485 1052 1052 NativeCallFrameTracer tracer(vm, exec); 1053 1053 1054 bool result = WTF::equal(*asString(left)->value(exec).impl(), *asString(right)->value(exec).impl());1054 bool result = asString(left)->equal(exec, asString(right)); 1055 1055 #if USE(JSVALUE64) 1056 1056 return JSValue::encode(jsBoolean(result)); -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r204466 r204485 1033 1033 if (!thisObj) 1034 1034 return JSValue::encode(JSValue()); 1035 VM& vm = exec->vm(); 1035 1036 unsigned length = getLength(exec, thisObj); 1036 if ( exec->hadException())1037 if (UNLIKELY(vm.exception())) 1037 1038 return JSValue::encode(jsUndefined()); 1038 1039 … … 1041 1042 for (; index < length; ++index) { 1042 1043 JSValue e = getProperty(exec, thisObj, index); 1043 if ( exec->hadException())1044 if (UNLIKELY(vm.exception())) 1044 1045 return JSValue::encode(jsUndefined()); 1045 1046 if (!e) … … 1047 1048 if (JSValue::strictEqual(exec, searchElement, e)) 1048 1049 return JSValue::encode(jsNumber(index)); 1050 if (UNLIKELY(vm.exception())) 1051 return JSValue::encode(jsUndefined()); 1049 1052 } 1050 1053 … … 1075 1078 } 1076 1079 1080 VM& vm = exec->vm(); 1077 1081 JSValue searchElement = exec->argument(0); 1078 1082 do { 1079 1083 RELEASE_ASSERT(index < length); 1080 1084 JSValue e = getProperty(exec, thisObj, index); 1081 if ( exec->hadException())1085 if (UNLIKELY(vm.exception())) 1082 1086 return JSValue::encode(jsUndefined()); 1083 1087 if (!e) … … 1085 1089 if (JSValue::strictEqual(exec, searchElement, e)) 1086 1090 return JSValue::encode(jsNumber(index)); 1091 if (UNLIKELY(vm.exception())) 1092 return JSValue::encode(jsUndefined()); 1087 1093 } while (index--); 1088 1094 -
trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h
r203925 r204485 34 34 #include "JSObject.h" 35 35 #include "JSFunction.h" 36 #include "JSStringInlines.h" 36 37 #include "MathCommon.h" 37 38 #include <wtf/text/StringImpl.h> … … 901 902 bool s2 = v2.isString(); 902 903 if (s1 && s2) 903 return WTF::equal(*asString(v1)->value(exec).impl(), *asString(v2)->value(exec).impl());904 return asString(v1)->equal(exec, asString(v2)); 904 905 905 906 if (v1.isUndefinedOrNull()) { … … 971 972 972 973 if (v1.asCell()->isString() && v2.asCell()->isString()) 973 return WTF::equal(*asString(v1)->value(exec).impl(), *asString(v2)->value(exec).impl());974 return asString(v1)->equal(exec, asString(v2)); 974 975 return v1 == v2; 975 976 } -
trunk/Source/JavaScriptCore/runtime/JSString.cpp
r201782 r204485 73 73 } 74 74 75 bool JSString::equalSlowCase(ExecState* exec, JSString* other) const 76 { 77 String str1 = value(exec); 78 String str2 = other->value(exec); 79 if (exec->hadException()) 80 return false; 81 return WTF::equal(*str1.impl(), *str2.impl()); 82 } 83 75 84 size_t JSString::estimatedSize(JSCell* cell) 76 85 { -
trunk/Source/JavaScriptCore/runtime/JSString.h
r202585 r204485 156 156 StringViewWithUnderlyingString viewWithUnderlyingString(ExecState&) const; 157 157 158 inline bool equal(ExecState*, JSString* other) const; 158 159 const String& value(ExecState*) const; 159 160 const String& tryGetValue() const; … … 193 194 friend class JSValue; 194 195 196 JS_EXPORT_PRIVATE bool equalSlowCase(ExecState*, JSString* other) const; 195 197 bool isRope() const { return m_value.isNull(); } 196 198 bool isSubstring() const;
Note: See TracChangeset
for help on using the changeset viewer.