Changeset 209015 in webkit

Timestamp:

Nov 28, 2016 2:13:57 PM (7 years ago)

Author:

mark.lam@apple.com

Message:

Fix exception scope verification failures in ReflectObject.cpp.
​https://bugs.webkit.org/show_bug.cgi?id=165066

Reviewed by Saam Barati.

• runtime/ReflectObject.cpp:

(JSC::reflectObjectConstruct):
(JSC::reflectObjectDefineProperty):
(JSC::reflectObjectEnumerate):
(JSC::reflectObjectGet):
(JSC::reflectObjectGetOwnPropertyDescriptor):
(JSC::reflectObjectGetPrototypeOf):
(JSC::reflectObjectOwnKeys):
(JSC::reflectObjectSet):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/ReflectObject.cpp (modified) (9 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-11-28  Mark Lam  <mark.lam@apple.com>
+
+        Fix exception scope verification failures in ReflectObject.cpp.
+        https://bugs.webkit.org/show_bug.cgi?id=165066
+
+        Reviewed by Saam Barati.
+
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+        (JSC::reflectObjectDefineProperty):
+        (JSC::reflectObjectEnumerate):
+        (JSC::reflectObjectGet):
+        (JSC::reflectObjectGetOwnPropertyDescriptor):
+        (JSC::reflectObjectGetPrototypeOf):
+        (JSC::reflectObjectOwnKeys):
+        (JSC::reflectObjectSet):
+
 2016-11-24  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp

@@ -126 +126 @@
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
+    scope.release();
     return JSValue::encode(construct(exec, target, constructType, constructData, arguments, newTarget));
 }
@@ -142 +143 @@
 
     PropertyDescriptor descriptor;
-    if (!toPropertyDescriptor(exec, exec->argument(2), descriptor))
-        return JSValue::encode(jsUndefined());
+    bool success = toPropertyDescriptor(exec, exec->argument(2), descriptor);
+    ASSERT(!scope.exception() == success);
+    if (UNLIKELY(!success))
+        return encodedJSValue();
     ASSERT((descriptor.attributes() & Accessor) || (!descriptor.isAccessorDescriptor()));
     ASSERT(!scope.exception());
@@ -150 +153 @@
     bool shouldThrow = false;
     JSObject* targetObject = asObject(target);
+    scope.release();
     return JSValue::encode(jsBoolean(targetObject->methodTable(vm)->defineOwnProperty(targetObject, exec, propertyName, descriptor, shouldThrow)));
 }
@@ -163 +167 @@
     if (!target.isObject())
         return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Reflect.enumerate requires the first argument be an object")));
+    scope.release();
     return JSValue::encode(JSPropertyNameIterator::create(exec, exec->lexicalGlobalObject()->propertyNameIteratorStructure(), asObject(target)));
 }
@@ -184 +189 @@
 
     PropertySlot slot(receiver, PropertySlot::InternalMethodType::Get);
+    scope.release();
     return JSValue::encode(target.get(exec, propertyName, slot));
 }
@@ -200 +206 @@
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
+    scope.release();
     return JSValue::encode(objectConstructorGetOwnPropertyDescriptor(exec, asObject(target), key));
 }
@@ -212 +219 @@
     if (!target.isObject())
         return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Reflect.getPrototypeOf requires the first argument be an object")));
-    return JSValue::encode(asObject(target)->getPrototype(exec->vm(), exec));
+    scope.release();
+    return JSValue::encode(asObject(target)->getPrototype(vm, exec));
 }
 
@@ -239 +247 @@
     if (!target.isObject())
         return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Reflect.ownKeys requires the first argument be an object")));
+    scope.release();
     return JSValue::encode(ownPropertyKeys(exec, jsCast<JSObject*>(target), PropertyNameMode::StringsAndSymbols, DontEnumPropertiesMode::Include));
 }
@@ -278 +287 @@
     bool shouldThrowIfCantSet = false;
     PutPropertySlot slot(receiver, shouldThrowIfCantSet);
+    scope.release();
     return JSValue::encode(jsBoolean(targetObject->methodTable(vm)->put(targetObject, exec, propertyName, exec->argument(2), slot)));
 }