Changeset 209036 in webkit
- Timestamp:
- Nov 28, 2016 3:50:16 PM (7 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r209034 r209036 1 2016-11-28 Mark Lam <mark.lam@apple.com> 2 3 Fix exception scope verification failures in JSArray* files. 4 https://bugs.webkit.org/show_bug.cgi?id=165016 5 6 Reviewed by Saam Barati. 7 8 * runtime/JSArray.cpp: 9 (JSC::JSArray::defineOwnProperty): 10 (JSC::JSArray::put): 11 (JSC::JSArray::setLength): 12 (JSC::JSArray::pop): 13 (JSC::JSArray::push): 14 (JSC::JSArray::unshiftCountWithAnyIndexingType): 15 * runtime/JSArrayBuffer.cpp: 16 (JSC::JSArrayBuffer::put): 17 (JSC::JSArrayBuffer::defineOwnProperty): 18 * runtime/JSArrayInlines.h: 19 (JSC::getLength): 20 (JSC::toLength): 21 1 22 2016-11-28 Mark Lam <mark.lam@apple.com> 2 23 -
trunk/Source/JavaScriptCore/runtime/JSArray.cpp
r208985 r209036 187 187 // l.ii. Let deleteSucceeded be the result of calling the [[Delete]] internal method of A passing ToString(oldLen) and false as arguments. 188 188 // l.iii. If deleteSucceeded is false, then 189 if (!array->setLength(exec, newLen, throwException)) { 189 bool success = array->setLength(exec, newLen, throwException); 190 ASSERT(!scope.exception() || !success); 191 if (!success) { 190 192 // 1. Set newLenDesc.[[Value] to oldLen+1. 191 193 // 2. If newWritable is false, set newLenDesc.[[Writable] to false. … … 221 223 // e.ii. Call the default [[DefineOwnProperty]] internal method (8.12.9) on A passing "length", oldLenDesc, and false as arguments. This call will always return true. 222 224 // f. Return true. 225 scope.release(); 223 226 return array->defineOwnIndexedProperty(exec, index, descriptor, throwException); 224 227 } 225 228 229 scope.release(); 226 230 return array->JSObject::defineOwnNonIndexProperty(exec, propertyName, descriptor, throwException); 227 231 } … … 247 251 JSArray* thisObject = jsCast<JSArray*>(cell); 248 252 249 if (UNLIKELY(isThisValueAltered(slot, thisObject))) 253 if (UNLIKELY(isThisValueAltered(slot, thisObject))) { 254 scope.release(); 250 255 return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()); 256 } 251 257 252 258 if (propertyName == exec->propertyNames().length) { 253 259 unsigned newLength = value.toUInt32(exec); 260 RETURN_IF_EXCEPTION(scope, false); 254 261 if (value.toNumber(exec) != static_cast<double>(newLength)) { 255 262 throwException(exec, scope, createRangeError(exec, ASCIILiteral("Invalid array length"))); 256 263 return false; 257 264 } 265 scope.release(); 258 266 return thisObject->setLength(exec, newLength, slot.isStrictMode()); 259 267 } 260 268 269 scope.release(); 261 270 return JSObject::put(thisObject, exec, propertyName, value, slot); 262 271 } … … 518 527 return true; 519 528 if (newLength >= MIN_SPARSE_ARRAY_INDEX) { 529 scope.release(); 520 530 return setLengthWithArrayStorage( 521 531 exec, newLength, throwException, … … 534 544 || (newLength >= MIN_SPARSE_ARRAY_INDEX 535 545 && !isDenseEnoughForVector(newLength, countElements()))) { 546 scope.release(); 536 547 return setLengthWithArrayStorage( 537 548 exec, newLength, throwException, … … 566 577 case ArrayWithArrayStorage: 567 578 case ArrayWithSlowPutArrayStorage: 579 scope.release(); 568 580 return setLengthWithArrayStorage(exec, newLength, throwException, arrayStorage()); 569 581 … … 660 672 RETURN_IF_EXCEPTION(scope, JSValue()); 661 673 // Call the [[Delete]] internal method of O with arguments indx and true. 662 if (!deletePropertyByIndex(this, exec, index)) { 674 bool success = deletePropertyByIndex(this, exec, index); 675 RETURN_IF_EXCEPTION(scope, JSValue()); 676 if (!success) { 663 677 throwTypeError(exec, scope, ASCIILiteral(UnableToDeletePropertyError)); 664 678 return jsUndefined(); 665 679 } 666 680 // Call the [[Put]] internal method of O with arguments "length", indx, and true. 681 scope.release(); 667 682 setLength(exec, index, true); 668 683 // Return element. … … 688 703 case ArrayWithUndecided: { 689 704 convertUndecidedForValue(vm, value); 705 scope.release(); 690 706 push(exec, value); 691 707 return; … … 695 711 if (!value.isInt32()) { 696 712 convertInt32ForValue(vm, value); 713 scope.release(); 697 714 push(exec, value); 698 715 return; … … 707 724 } 708 725 709 if ( length > MAX_ARRAY_INDEX) {726 if (UNLIKELY(length > MAX_ARRAY_INDEX)) { 710 727 methodTable(vm)->putByIndex(this, exec, length, value, true); 711 728 if (!scope.exception()) … … 713 730 return; 714 731 } 715 732 733 scope.release(); 716 734 putByIndexBeyondVectorLengthWithoutAttributes<Int32Shape>(exec, length, value); 717 735 return; … … 727 745 } 728 746 729 if ( length > MAX_ARRAY_INDEX) {747 if (UNLIKELY(length > MAX_ARRAY_INDEX)) { 730 748 methodTable(vm)->putByIndex(this, exec, length, value, true); 731 749 if (!scope.exception()) … … 733 751 return; 734 752 } 735 753 754 scope.release(); 736 755 putByIndexBeyondVectorLengthWithoutAttributes<ContiguousShape>(exec, length, value); 737 756 return; … … 741 760 if (!value.isNumber()) { 742 761 convertDoubleToContiguous(vm); 762 scope.release(); 743 763 push(exec, value); 744 764 return; … … 747 767 if (valueAsDouble != valueAsDouble) { 748 768 convertDoubleToContiguous(vm); 769 scope.release(); 749 770 push(exec, value); 750 771 return; … … 759 780 } 760 781 761 if ( length > MAX_ARRAY_INDEX) {782 if (UNLIKELY(length > MAX_ARRAY_INDEX)) { 762 783 methodTable(vm)->putByIndex(this, exec, length, value, true); 763 784 if (!scope.exception()) … … 765 786 return; 766 787 } 767 788 789 scope.release(); 768 790 putByIndexBeyondVectorLengthWithoutAttributes<DoubleShape>(exec, length, value); 769 break;791 return; 770 792 } 771 793 … … 774 796 bool putResult = false; 775 797 if (attemptToInterceptPutByIndexOnHole(exec, oldLength, value, true, putResult)) { 776 if (!scope.exception() && oldLength < 0xFFFFFFFFu) 798 if (!scope.exception() && oldLength < 0xFFFFFFFFu) { 799 scope.release(); 777 800 setLength(exec, oldLength + 1, true); 801 } 778 802 return; 779 803 } … … 794 818 795 819 // Pushing to an array of invalid length (2^31-1) stores the property, but throws a range error. 796 if ( storage->length() > MAX_ARRAY_INDEX) {820 if (UNLIKELY(storage->length() > MAX_ARRAY_INDEX)) { 797 821 methodTable(vm)->putByIndex(this, exec, storage->length(), value, true); 798 822 // Per ES5.1 15.4.4.7 step 6 & 15.4.5.1 step 3.d. … … 803 827 804 828 // Handled the same as putIndex. 829 scope.release(); 805 830 putByIndexBeyondVectorLengthWithArrayStorage(exec, storage->length(), value, true, storage); 806 break;831 return; 807 832 } 808 833 … … 1118 1143 // We may have to walk the entire array to do the unshift. We're willing to do so 1119 1144 // only if it's not horribly slow. 1120 if (oldLength - startIndex >= MIN_SPARSE_ARRAY_INDEX) 1145 if (oldLength - startIndex >= MIN_SPARSE_ARRAY_INDEX) { 1146 scope.release(); 1121 1147 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm)); 1148 } 1122 1149 1123 1150 if (!ensureLength(vm, oldLength + count)) { … … 1131 1158 for (unsigned i = oldLength; i-- > startIndex;) { 1132 1159 JSValue v = butterfly->contiguous()[i].get(); 1133 if (UNLIKELY(!v)) 1160 if (UNLIKELY(!v)) { 1161 scope.release(); 1134 1162 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm)); 1163 } 1135 1164 } 1136 1165 … … 1154 1183 // We may have to walk the entire array to do the unshift. We're willing to do so 1155 1184 // only if it's not horribly slow. 1156 if (oldLength - startIndex >= MIN_SPARSE_ARRAY_INDEX) 1185 if (oldLength - startIndex >= MIN_SPARSE_ARRAY_INDEX) { 1186 scope.release(); 1157 1187 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm)); 1188 } 1158 1189 1159 1190 if (!ensureLength(vm, oldLength + count)) { … … 1167 1198 for (unsigned i = oldLength; i-- > startIndex;) { 1168 1199 double v = butterfly->contiguousDouble()[i]; 1169 if (UNLIKELY(v != v)) 1200 if (UNLIKELY(v != v)) { 1201 scope.release(); 1170 1202 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm)); 1203 } 1171 1204 } 1172 1205 … … 1187 1220 case ArrayWithArrayStorage: 1188 1221 case ArrayWithSlowPutArrayStorage: 1222 scope.release(); 1189 1223 return unshiftCountWithArrayStorage(exec, startIndex, count, arrayStorage()); 1190 1224 -
trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.cpp
r208209 r209036 107 107 JSArrayBuffer* thisObject = jsCast<JSArrayBuffer*>(cell); 108 108 109 if (UNLIKELY(isThisValueAltered(slot, thisObject))) 109 if (UNLIKELY(isThisValueAltered(slot, thisObject))) { 110 scope.release(); 110 111 return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()); 112 } 111 113 112 114 if (propertyName == vm.propertyNames->byteLength) 113 115 return typeError(exec, scope, slot.isStrictMode(), ASCIILiteral("Attempting to write to a read-only array buffer property.")); 114 116 117 scope.release(); 115 118 return Base::put(thisObject, exec, propertyName, value, slot); 116 119 } … … 126 129 if (propertyName == vm.propertyNames->byteLength) 127 130 return typeError(exec, scope, shouldThrow, ASCIILiteral("Attempting to define read-only array buffer property.")); 128 131 132 scope.release(); 129 133 return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow); 130 134 } -
trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h
r206525 r209036 77 77 JSValue lengthValue = obj->get(exec, vm.propertyNames->length); 78 78 RETURN_IF_EXCEPTION(scope, UINT_MAX); 79 scope.release(); 79 80 return lengthValue.toUInt32(exec); 80 81 } … … 89 90 JSValue lengthValue = obj->get(exec, vm.propertyNames->length); 90 91 RETURN_IF_EXCEPTION(scope, PNaN); 92 scope.release(); 91 93 return lengthValue.toLength(exec); 92 94 }
Note: See TracChangeset
for help on using the changeset viewer.