Changeset 238425 in webkit

Timestamp:

Nov 21, 2018 10:38:11 AM (5 years ago)

Author:

Caio Lima

Message:

[BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
​https://bugs.webkit.org/show_bug.cgi?id=190836

Reviewed by Saam Barati and Yusuke Suzuki.

JSTests:

• stress/big-int-out-of-memory-tests.js: Added.

Source/JavaScriptCore:

In this patch we are creating a new method called JSBigInt::createWithLengthUnchecked
where we allocate a BigInt trusting the length received as argument.
With this additional method, we now check if length passed to
JSBigInt::tryCreateWithLength is not greater than JSBigInt::maxLength.
When the length is greater than JSBigInt::maxLength, we then throw OOM
exception.
This required us to change the interface of some JSBigInt operations to
receive ExecState* instead of VM&. We changed only operations that
can throw because of OOM.
We beleive that this approach of throwing instead of finishing the
execution abruptly is better because JS programs can catch such
exception and handle this issue properly.

• dfg/DFGOperations.cpp:
• jit/JITOperations.cpp:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/JSBigInt.cpp:

(JSC::JSBigInt::createZero):
(JSC::JSBigInt::tryCreateWithLength):
(JSC::JSBigInt::createWithLengthUnchecked):
(JSC::JSBigInt::createFrom):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::divide):
(JSC::JSBigInt::copy):
(JSC::JSBigInt::unaryMinus):
(JSC::JSBigInt::remainder):
(JSC::JSBigInt::add):
(JSC::JSBigInt::sub):
(JSC::JSBigInt::bitwiseAnd):
(JSC::JSBigInt::bitwiseOr):
(JSC::JSBigInt::bitwiseXor):
(JSC::JSBigInt::absoluteAdd):
(JSC::JSBigInt::absoluteSub):
(JSC::JSBigInt::absoluteDivWithDigitDivisor):
(JSC::JSBigInt::absoluteDivWithBigIntDivisor):
(JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
(JSC::JSBigInt::absoluteBitwiseOp):
(JSC::JSBigInt::absoluteAddOne):
(JSC::JSBigInt::absoluteSubOne):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::rightTrim):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::createWithLength): Deleted.

• runtime/JSBigInt.h:
• runtime/Operations.cpp:

(JSC::jsAddSlowCase):

• runtime/Operations.h:

(JSC::jsSub):
(JSC::jsMul):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/big-int-out-of-memory-tests.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (6 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSBigInt.cpp (modified) (37 diffs)
• Source/JavaScriptCore/runtime/JSBigInt.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/Operations.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Operations.h (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-11-21  Caio Lima  <ticaiolima@gmail.com>
+
+        [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
+        https://bugs.webkit.org/show_bug.cgi?id=190836
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        * stress/big-int-out-of-memory-tests.js: Added.
+
 2018-11-20  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-11-21  Caio Lima  <ticaiolima@gmail.com>
+
+        [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
+        https://bugs.webkit.org/show_bug.cgi?id=190836
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        In this patch we are creating a new method called `JSBigInt::createWithLengthUnchecked`
+        where we allocate a BigInt trusting the length received as argument.
+        With this additional method, we now check if length passed to
+        `JSBigInt::tryCreateWithLength` is not greater than JSBigInt::maxLength.
+        When the length is greater than JSBigInt::maxLength, we then throw OOM
+        exception.
+        This required us to change the interface of some JSBigInt operations to
+        receive `ExecState*` instead of `VM&`. We changed only operations that
+        can throw because of OOM.
+        We beleive that this approach of throwing instead of finishing the
+        execution abruptly is better because JS programs can catch such
+        exception and handle this issue properly.
+
+        * dfg/DFGOperations.cpp:
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::createZero):
+        (JSC::JSBigInt::tryCreateWithLength):
+        (JSC::JSBigInt::createWithLengthUnchecked):
+        (JSC::JSBigInt::createFrom):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::divide):
+        (JSC::JSBigInt::copy):
+        (JSC::JSBigInt::unaryMinus):
+        (JSC::JSBigInt::remainder):
+        (JSC::JSBigInt::add):
+        (JSC::JSBigInt::sub):
+        (JSC::JSBigInt::bitwiseAnd):
+        (JSC::JSBigInt::bitwiseOr):
+        (JSC::JSBigInt::bitwiseXor):
+        (JSC::JSBigInt::absoluteAdd):
+        (JSC::JSBigInt::absoluteSub):
+        (JSC::JSBigInt::absoluteDivWithDigitDivisor):
+        (JSC::JSBigInt::absoluteDivWithBigIntDivisor):
+        (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy):
+        (JSC::JSBigInt::absoluteBitwiseOp):
+        (JSC::JSBigInt::absoluteAddOne):
+        (JSC::JSBigInt::absoluteSubOne):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::rightTrim):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::createWithLength): Deleted.
+        * runtime/JSBigInt.h:
+        * runtime/Operations.cpp:
+        (JSC::jsAddSlowCase):
+        * runtime/Operations.h:
+        (JSC::jsSub):
+        (JSC::jsMul):
+
 2018-11-20  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -350 +350 @@
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
         if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseAnd(*vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            JSBigInt* result = JSBigInt::bitwiseAnd(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
             RETURN_IF_EXCEPTION(scope, encodedJSValue());
             return JSValue::encode(result);
@@ -377 +377 @@
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
         if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseOr(*vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            JSBigInt* result = JSBigInt::bitwiseOr(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
             RETURN_IF_EXCEPTION(scope, encodedJSValue());
             return JSValue::encode(result);
@@ -1295 +1295 @@
     JSBigInt* rightOperand = jsCast<JSBigInt*>(op2);
     
-    return JSBigInt::sub(*vm, leftOperand, rightOperand);
+    return JSBigInt::sub(exec, leftOperand, rightOperand);
 }
 
@@ -1306 +1306 @@
     JSBigInt* rightOperand = jsCast<JSBigInt*>(op2);
 
-    return JSBigInt::bitwiseAnd(*vm, leftOperand, rightOperand);
+    return JSBigInt::bitwiseAnd(exec, leftOperand, rightOperand);
 }
 
@@ -1317 +1317 @@
     JSBigInt* rightOperand = jsCast<JSBigInt*>(op2);
     
-    return JSBigInt::add(*vm, leftOperand, rightOperand);
+    return JSBigInt::add(exec, leftOperand, rightOperand);
 }
 
@@ -1328 +1328 @@
     JSBigInt* rightOperand = jsCast<JSBigInt*>(op2);
     
-    return JSBigInt::bitwiseOr(*vm, leftOperand, rightOperand);
+    return JSBigInt::bitwiseOr(exec, leftOperand, rightOperand);
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2767 +2767 @@
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
     
-    if (primValue.isBigInt()) {
-        JSBigInt* result = JSBigInt::unaryMinus(vm, asBigInt(primValue));
-        return JSValue::encode(result);
-    }
+    if (primValue.isBigInt())
+        return JSValue::encode(JSBigInt::unaryMinus(vm, asBigInt(primValue)));
 
     double number = primValue.toNumber(exec);

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -564 +564 @@
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
         if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::sub(vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            JSBigInt* result = JSBigInt::sub(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            CHECK_EXCEPTION();
             RETURN_WITH_PROFILING(result, {
                 updateArithProfileForBinaryArithOp(exec, pc, result, left, right);
@@ -700 +701 @@
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
         if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseAnd(vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            JSBigInt* result = JSBigInt::bitwiseAnd(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
             CHECK_EXCEPTION();
             RETURN_PROFILED(result);
@@ -721 +722 @@
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
         if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseOr(vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            JSBigInt* result = JSBigInt::bitwiseOr(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
             CHECK_EXCEPTION();
             RETURN_PROFILED(result);
@@ -742 +743 @@
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
         if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-            JSBigInt* result = JSBigInt::bitwiseXor(vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            JSBigInt* result = JSBigInt::bitwiseXor(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
             CHECK_EXCEPTION();
             RETURN(result);

trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

@@ -82 +82 @@
 JSBigInt* JSBigInt::createZero(VM& vm)
 {
-    JSBigInt* zeroBigInt = createWithLength(vm, 0);
+    JSBigInt* zeroBigInt = createWithLengthUnchecked(vm, 0);
     return zeroBigInt;
 }
@@ -92 +92 @@
 }
 
-JSBigInt* JSBigInt::createWithLength(VM& vm, unsigned length)
-{
+JSBigInt* JSBigInt::tryCreateWithLength(ExecState* exec, unsigned length)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (UNLIKELY(length > maxLength)) {
+        throwOutOfMemoryError(exec, scope);
+        return nullptr;
+    }
+
+    scope.release();
+
+    return createWithLengthUnchecked(vm, length);
+}
+
+JSBigInt* JSBigInt::createWithLengthUnchecked(VM& vm, unsigned length)
+{
+    ASSERT(length <= maxLength);
     JSBigInt* bigInt = new (NotNull, allocateCell<JSBigInt>(vm.heap, allocationSize(length))) JSBigInt(vm, vm.bigIntStructure.get(), length);
     bigInt->finishCreation(vm);
@@ -104 +120 @@
         return createZero(vm);
     
-    JSBigInt* bigInt = createWithLength(vm, 1);
-    
+    JSBigInt* bigInt = createWithLengthUnchecked(vm, 1);
     if (value < 0) {
         bigInt->setDigit(0, static_cast<Digit>(-1 * static_cast<int64_t>(value)));
@@ -120 +135 @@
         return createZero(vm);
     
-    JSBigInt* bigInt = createWithLength(vm, 1);
+    JSBigInt* bigInt = createWithLengthUnchecked(vm, 1);
     bigInt->setDigit(0, static_cast<Digit>(value));
     return bigInt;
@@ -131 +146 @@
     
     if (sizeof(Digit) == 8) {
-        JSBigInt* bigInt = createWithLength(vm, 1);
-        
+        JSBigInt* bigInt = createWithLengthUnchecked(vm, 1);
         if (value < 0) {
             bigInt->setDigit(0, static_cast<Digit>(static_cast<uint64_t>(-(value + 1)) + 1));
@@ -142 +156 @@
     }
     
-    JSBigInt* bigInt = createWithLength(vm, 2);
-    
+    JSBigInt* bigInt = createWithLengthUnchecked(vm, 2);
     uint64_t tempValue;
     bool sign = false;
@@ -167 +180 @@
         return createZero(vm);
     
-    JSBigInt* bigInt = createWithLength(vm, 1);
+    JSBigInt* bigInt = createWithLengthUnchecked(vm, 1);
     bigInt->setDigit(0, static_cast<Digit>(value));
     return bigInt;
@@ -235 +248 @@
 {
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
 
     if (x->isZero())
@@ -242 +256 @@
 
     unsigned resultLength = x->length() + y->length();
-    JSBigInt* result = JSBigInt::createWithLength(vm, resultLength);
+    JSBigInt* result = JSBigInt::tryCreateWithLength(exec, resultLength);
+    RETURN_IF_EXCEPTION(scope, nullptr);
     result->initialize(InitializationType::WithZero);
 
@@ -278 +293 @@
         Digit remainder;
         absoluteDivWithDigitDivisor(vm, x, divisor, &quotient, remainder);
-    } else
-        absoluteDivWithBigIntDivisor(vm, x, y, &quotient, nullptr);
+    } else {
+        absoluteDivWithBigIntDivisor(exec, x, y, &quotient, nullptr);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+    }
 
     quotient->setSign(resultSign);
@@ -289 +306 @@
     ASSERT(!x->isZero());
 
-    JSBigInt* result = JSBigInt::createWithLength(vm, x->length());
+    JSBigInt* result = JSBigInt::createWithLengthUnchecked(vm, x->length());
     std::copy(x->dataStorage(), x->dataStorage() + x->length(), result->dataStorage());
     result->setSign(x->sign());
@@ -332 +349 @@
             return createZero(vm);
 
-        remainder = createWithLength(vm, 1);
+        remainder = createWithLengthUnchecked(vm, 1);
         remainder->setDigit(0, remainderDigit);
-    } else
-        absoluteDivWithBigIntDivisor(vm, x, y, nullptr, &remainder);
+    } else {
+        absoluteDivWithBigIntDivisor(exec, x, y, nullptr, &remainder);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+    }
 
     remainder->setSign(x->sign());
@@ -341 +360 @@
 }
 
-JSBigInt* JSBigInt::add(VM& vm, JSBigInt* x, JSBigInt* y)
-{
+JSBigInt* JSBigInt::add(ExecState* exec, JSBigInt* x, JSBigInt* y)
+{
+    VM& vm = exec->vm();
     bool xSign = x->sign();
 
@@ -348 +368 @@
     // -x + -y == -(x + y)
     if (xSign == y->sign())
-        return absoluteAdd(vm, x, y, xSign);
+        return absoluteAdd(exec, x, y, xSign);
 
     // x + -y == x - y == -(y - x)
@@ -359 +379 @@
 }
 
-JSBigInt* JSBigInt::sub(VM& vm, JSBigInt* x, JSBigInt* y)
-{
+JSBigInt* JSBigInt::sub(ExecState* exec, JSBigInt* x, JSBigInt* y)
+{
+    VM& vm = exec->vm();
     bool xSign = x->sign();
     if (xSign != y->sign()) {
         // x - (-y) == x + y
         // (-x) - y == -(x + y)
-        return absoluteAdd(vm, x, y, xSign);
+        return absoluteAdd(exec, x, y, xSign);
     }
     // x - y == -(y - x)
@@ -376 +397 @@
 }
 
-JSBigInt* JSBigInt::bitwiseAnd(VM& vm, JSBigInt* x, JSBigInt* y)
-{
-    if (!x->sign() && !y->sign())
+JSBigInt* JSBigInt::bitwiseAnd(ExecState* exec, JSBigInt* x, JSBigInt* y)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (!x->sign() && !y->sign()) {
+        scope.release();
         return absoluteAnd(vm, x, y);
+    }
     
     if (x->sign() && y->sign()) {
@@ -385 +411 @@
         // (-x) & (-y) == ~(x-1) & ~(y-1) == ~((x-1) | (y-1))
         // == -(((x-1) | (y-1)) + 1)
-        JSBigInt* result = absoluteSubOne(vm, x, resultLength);
-        JSBigInt* y1 = absoluteSubOne(vm, y, y->length());
+        JSBigInt* result = absoluteSubOne(exec, x, resultLength);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+
+        JSBigInt* y1 = absoluteSubOne(exec, y, y->length());
+        RETURN_IF_EXCEPTION(scope, nullptr);
         result = absoluteOr(vm, result, y1);
-
-        return absoluteAddOne(vm, result, SignOption::Signed);
+        scope.release();
+        return absoluteAddOne(exec, result, SignOption::Signed);
     }
 
@@ -398 +427 @@
     
     // x & (-y) == x & ~(y-1) == x & ~(y-1)
-    return absoluteAndNot(vm, x, absoluteSubOne(vm, y, y->length()));
-}
-
-JSBigInt* JSBigInt::bitwiseOr(VM& vm, JSBigInt* x, JSBigInt* y)
-{
+    JSBigInt* y1 = absoluteSubOne(exec, y, y->length());
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    return absoluteAndNot(vm, x, y1);
+}
+
+JSBigInt* JSBigInt::bitwiseOr(ExecState* exec, JSBigInt* x, JSBigInt* y)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     unsigned resultLength = std::max(x->length(), y->length());
 
-    if (!x->sign() && !y->sign())
+    if (!x->sign() && !y->sign()) {
+        scope.release();
         return absoluteOr(vm, x, y);
+    }
     
     if (x->sign() && y->sign()) {
         // (-x) | (-y) == ~(x-1) | ~(y-1) == ~((x-1) & (y-1))
         // == -(((x-1) & (y-1)) + 1)
-        JSBigInt* result = absoluteSubOne(vm, x, resultLength);
-        JSBigInt* y1 = absoluteSubOne(vm, y, y->length());
+        JSBigInt* result = absoluteSubOne(exec, x, resultLength);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        JSBigInt* y1 = absoluteSubOne(exec, y, y->length());
+        RETURN_IF_EXCEPTION(scope, nullptr);
         result = absoluteAnd(vm, result, y1);
-        return absoluteAddOne(vm, result, SignOption::Signed);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+
+        scope.release();
+        return absoluteAddOne(exec, result, SignOption::Signed);
     }
     
@@ -424 +465 @@
     
     // x | (-y) == x | ~(y-1) == ~((y-1) &~ x) == -(((y-1) &~ x) + 1)
-    JSBigInt* result = absoluteSubOne(vm, y, resultLength);
+    JSBigInt* result = absoluteSubOne(exec, y, resultLength);
+    RETURN_IF_EXCEPTION(scope, nullptr);
     result = absoluteAndNot(vm, result, x);
-    return absoluteAddOne(vm, result, SignOption::Signed);
-}
-
-JSBigInt* JSBigInt::bitwiseXor(VM& vm, JSBigInt* x, JSBigInt* y)
-{
-    if (!x->sign() && !y->sign())
+
+    scope.release();
+    return absoluteAddOne(exec, result, SignOption::Signed);
+}
+
+JSBigInt* JSBigInt::bitwiseXor(ExecState* exec, JSBigInt* x, JSBigInt* y)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (!x->sign() && !y->sign()) {
+        scope.release();
         return absoluteXor(vm, x, y);
+    }
     
     if (x->sign() && y->sign()) {
@@ -438 +487 @@
         
         // (-x) ^ (-y) == ~(x-1) ^ ~(y-1) == (x-1) ^ (y-1)
-        JSBigInt* result = absoluteSubOne(vm, x, resultLength);
-        JSBigInt* y1 = absoluteSubOne(vm, y, y->length());
+        JSBigInt* result = absoluteSubOne(exec, x, resultLength);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        JSBigInt* y1 = absoluteSubOne(exec, y, y->length());
+        RETURN_IF_EXCEPTION(scope, nullptr);
+
+        scope.release();
         return absoluteXor(vm, result, y1);
     }
@@ -450 +503 @@
     
     // x ^ (-y) == x ^ ~(y-1) == ~(x ^ (y-1)) == -((x ^ (y-1)) + 1)
-    JSBigInt* result = absoluteSubOne(vm, y, resultLength);
+    JSBigInt* result = absoluteSubOne(exec, y, resultLength);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+
     result = absoluteXor(vm, result, x);
-    return absoluteAddOne(vm, result, SignOption::Signed);
+    scope.release();
+    return absoluteAddOne(exec, result, SignOption::Signed);
 }
 
@@ -752 +808 @@
 }
 
-JSBigInt* JSBigInt::absoluteAdd(VM& vm, JSBigInt* x, JSBigInt* y, bool resultSign)
-{
+JSBigInt* JSBigInt::absoluteAdd(ExecState* exec, JSBigInt* x, JSBigInt* y, bool resultSign)
+{
+    VM& vm = exec->vm();
+
     if (x->length() < y->length())
-        return absoluteAdd(vm, y, x, resultSign);
+        return absoluteAdd(exec, y, x, resultSign);
 
     if (x->isZero()) {
@@ -765 +823 @@
         return resultSign == x->sign() ? x : unaryMinus(vm, x);
 
-    JSBigInt* result = JSBigInt::createWithLength(vm, x->length() + 1);
-    ASSERT(result);
+    JSBigInt* result = JSBigInt::tryCreateWithLength(exec, x->length() + 1);
+    if (!result)
+        return nullptr;
     Digit carry = 0;
     unsigned i = 0;
@@ -807 +866 @@
         return JSBigInt::createZero(vm);
 
-    JSBigInt* result = JSBigInt::createWithLength(vm, x->length());
+    JSBigInt* result = JSBigInt::createWithLengthUnchecked(vm, x->length());
+
     Digit borrow = 0;
     unsigned i = 0;
@@ -852 +912 @@
     if (quotient != nullptr) {
         if (*quotient == nullptr)
-            *quotient = JSBigInt::createWithLength(vm, length);
+            *quotient = JSBigInt::createWithLengthUnchecked(vm, length);
 
         for (int i = length - 1; i >= 0; i--) {
@@ -870 +930 @@
 // interested in one of them.
 // See Knuth, Volume 2, section 4.3.1, Algorithm D.
-void JSBigInt::absoluteDivWithBigIntDivisor(VM& vm, JSBigInt* dividend, JSBigInt* divisor, JSBigInt** quotient, JSBigInt** remainder)
+void JSBigInt::absoluteDivWithBigIntDivisor(ExecState* exec, JSBigInt* dividend, JSBigInt* divisor, JSBigInt** quotient, JSBigInt** remainder)
 {
     ASSERT(divisor->length() >= 2);
     ASSERT(dividend->length() >= divisor->length());
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
 
     // The unusual variable names inside this function are consistent with
@@ -885 +947 @@
     JSBigInt* q = nullptr;
     if (quotient != nullptr)
-        q = createWithLength(vm, m + 1);
+        q = createWithLengthUnchecked(exec->vm(), m + 1);
     
     // In each iteration, {qhatv} holds {divisor} * {current quotient digit}.
     // "v" is the book's name for {divisor}, "qhat" the current quotient digit.
-    JSBigInt* qhatv = createWithLength(vm, n + 1);
+    JSBigInt* qhatv = tryCreateWithLength(exec, n + 1);
+    RETURN_IF_EXCEPTION(scope, void());
     
     // D1.
@@ -899 +962 @@
     unsigned shift = sizeof(lastDigit) == 8 ? clz64(lastDigit) : clz32(lastDigit);
 
-    if (shift > 0)
-        divisor = absoluteLeftShiftAlwaysCopy(vm, divisor, shift, LeftShiftMode::SameSizeResult);
+    if (shift > 0) {
+        divisor = absoluteLeftShiftAlwaysCopy(exec, divisor, shift, LeftShiftMode::SameSizeResult);
+        RETURN_IF_EXCEPTION(scope, void());
+    }
 
     // Holds the (continuously updated) remaining part of the dividend, which
     // eventually becomes the remainder.
-    JSBigInt* u = absoluteLeftShiftAlwaysCopy(vm, dividend, shift, LeftShiftMode::AlwaysAddOneDigit);
+    JSBigInt* u = absoluteLeftShiftAlwaysCopy(exec, dividend, shift, LeftShiftMode::AlwaysAddOneDigit);
+    RETURN_IF_EXCEPTION(scope, void());
 
     // D2.
@@ -1032 +1098 @@
 
 // Always copies the input, even when {shift} == 0.
-JSBigInt* JSBigInt::absoluteLeftShiftAlwaysCopy(VM& vm, JSBigInt* x, unsigned shift, LeftShiftMode mode)
+JSBigInt* JSBigInt::absoluteLeftShiftAlwaysCopy(ExecState* exec, JSBigInt* x, unsigned shift, LeftShiftMode mode)
 {
     ASSERT(shift < digitBits);
@@ -1039 +1105 @@
     unsigned n = x->length();
     unsigned resultLength = mode == LeftShiftMode::AlwaysAddOneDigit ? n + 1 : n;
-    JSBigInt* result = createWithLength(vm, resultLength);
+    JSBigInt* result = tryCreateWithLength(exec, resultLength);
+    if (!result)
+        return nullptr;
 
     if (!shift) {
@@ -1096 +1164 @@
     ASSERT(numPairs == std::min(xLength, yLength));
     unsigned resultLength = extraDigits == ExtraDigitsHandling::Copy ? xLength : numPairs;
-    JSBigInt* result = createWithLength(vm, resultLength);
-
+    JSBigInt* result = createWithLengthUnchecked(vm, resultLength);
     unsigned i = 0;
     for (; i < numPairs; i++)
@@ -1145 +1212 @@
 }
     
-JSBigInt* JSBigInt::absoluteAddOne(VM& vm, JSBigInt* x, SignOption signOption)
+JSBigInt* JSBigInt::absoluteAddOne(ExecState* exec, JSBigInt* x, SignOption signOption)
 {
     unsigned inputLength = x->length();
@@ -1159 +1226 @@
 
     unsigned resultLength = inputLength + willOverflow;
-    JSBigInt* result = createWithLength(vm, resultLength);
+    JSBigInt* result = tryCreateWithLength(exec, resultLength);
+    if (!result)
+        return nullptr;
 
     Digit carry = 1;
@@ -1173 +1242 @@
 
     result->setSign(signOption == SignOption::Signed);
-    return result->rightTrim(vm);
-}
-
-// Like the above, but you can specify that the allocated result should have
-// length {resultLength}, which must be at least as large as {x->length()}.
-JSBigInt* JSBigInt::absoluteSubOne(VM& vm, JSBigInt* x, unsigned resultLength)
+    return result->rightTrim(exec->vm());
+}
+
+JSBigInt* JSBigInt::absoluteSubOne(ExecState* exec, JSBigInt* x, unsigned resultLength)
 {
     ASSERT(!x->isZero());
     ASSERT(resultLength >= x->length());
-    JSBigInt* result = createWithLength(vm, resultLength);
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSBigInt* result = tryCreateWithLength(exec, resultLength);
+    RETURN_IF_EXCEPTION(scope, nullptr);
 
     unsigned length = x->length();
@@ -1355 +1426 @@
             Digit chunk;
             absoluteDivWithDigitDivisor(vm, *dividend, chunkDivisor, &rest, chunk);
-            ASSERT(rest);
-
             dividend = &rest;
             for (unsigned i = 0; i < chunkChars; i++) {
@@ -1415 +1484 @@
 
     unsigned newLength = nonZeroIndex + 1;
-    JSBigInt* trimmedBigInt = createWithLength(vm, newLength);
-    RELEASE_ASSERT(trimmedBigInt);
+    JSBigInt* trimmedBigInt = createWithLengthUnchecked(vm, newLength);
     std::copy(dataStorage(), dataStorage() + newLength, trimmedBigInt->dataStorage()); 
 
@@ -1440 +1508 @@
             unsigned length = (bitsMin + digitBits - 1) / digitBits;
             if (length <= maxLength) {
-                JSBigInt* result = JSBigInt::createWithLength(vm, length);
+                JSBigInt* result = JSBigInt::createWithLengthUnchecked(vm, length);
                 return result;
             }

trunk/Source/JavaScriptCore/runtime/JSBigInt.h

@@ -52 +52 @@
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
     static JSBigInt* createZero(VM&);
-    static JSBigInt* createWithLength(VM&, unsigned length);
+    static JSBigInt* tryCreateWithLength(ExecState*, unsigned length);
+    static JSBigInt* createWithLengthUnchecked(VM&, unsigned length);
 
     static JSBigInt* createFrom(VM&, int32_t value);
@@ -109 +110 @@
     ComparisonResult static compareToDouble(JSBigInt* x, double y);
 
-    static JSBigInt* add(VM&, JSBigInt* x, JSBigInt* y);
-    static JSBigInt* sub(VM&, JSBigInt* x, JSBigInt* y);
+    static JSBigInt* add(ExecState*, JSBigInt* x, JSBigInt* y);
+    static JSBigInt* sub(ExecState*, JSBigInt* x, JSBigInt* y);
     static JSBigInt* divide(ExecState*, JSBigInt* x, JSBigInt* y);
     static JSBigInt* remainder(ExecState*, JSBigInt* x, JSBigInt* y);
     static JSBigInt* unaryMinus(VM&, JSBigInt* x);
 
-    static JSBigInt* bitwiseAnd(VM&, JSBigInt* x, JSBigInt* y);
-    static JSBigInt* bitwiseOr(VM&, JSBigInt* x, JSBigInt* y);
-    static JSBigInt* bitwiseXor(VM&, JSBigInt* x, JSBigInt* y);
+    static JSBigInt* bitwiseAnd(ExecState*, JSBigInt* x, JSBigInt* y);
+    static JSBigInt* bitwiseOr(ExecState*, JSBigInt* x, JSBigInt* y);
+    static JSBigInt* bitwiseXor(ExecState*, JSBigInt* x, JSBigInt* y);
 
 private:
@@ -140 +141 @@
     static void internalMultiplyAdd(JSBigInt* source, Digit factor, Digit summand, unsigned, JSBigInt* result);
     static void multiplyAccumulate(JSBigInt* multiplicand, Digit multiplier, JSBigInt* accumulator, unsigned accumulatorIndex);
-    static void absoluteDivWithBigIntDivisor(VM&, JSBigInt* dividend, JSBigInt* divisor, JSBigInt** quotient, JSBigInt** remainder);
+    static void absoluteDivWithBigIntDivisor(ExecState*, JSBigInt* dividend, JSBigInt* divisor, JSBigInt** quotient, JSBigInt** remainder);
     
     enum class LeftShiftMode {
@@ -147 +148 @@
     };
     
-    static JSBigInt* absoluteLeftShiftAlwaysCopy(VM&, JSBigInt* x, unsigned shift, LeftShiftMode);
+    static JSBigInt* absoluteLeftShiftAlwaysCopy(ExecState*, JSBigInt* x, unsigned shift, LeftShiftMode);
     static bool productGreaterThan(Digit factor1, Digit factor2, Digit high, Digit low);
 
@@ -177 +178 @@
     };
 
-    static JSBigInt* absoluteAddOne(VM&, JSBigInt* x, SignOption);
-    static JSBigInt* absoluteSubOne(VM&, JSBigInt* x, unsigned resultLength);
+    static JSBigInt* absoluteAddOne(ExecState*, JSBigInt* x, SignOption);
+    static JSBigInt* absoluteSubOne(ExecState*, JSBigInt* x, unsigned resultLength);
 
     // Digit arithmetic helpers.
@@ -204 +205 @@
 
     void inplaceMultiplyAdd(Digit multiplier, Digit part);
-    static JSBigInt* absoluteAdd(VM&, JSBigInt* x, JSBigInt* y, bool resultSign);
+    static JSBigInt* absoluteAdd(ExecState*, JSBigInt* x, JSBigInt* y, bool resultSign);
     static JSBigInt* absoluteSub(VM&, JSBigInt* x, JSBigInt* y, bool resultSign);
     

trunk/Source/JavaScriptCore/runtime/Operations.cpp

@@ -70 +70 @@
 
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric))
-            return JSBigInt::add(vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
+            scope.release();
+            return JSBigInt::add(callFrame, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+        }
 
         return throwTypeError(callFrame, scope, "Invalid mix of BigInt and other type in addition."_s);

trunk/Source/JavaScriptCore/runtime/Operations.h

@@ -349 +349 @@
 
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric))
-            return JSBigInt::sub(vm, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
+            scope.release();
+            return JSBigInt::sub(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+        }
 
         return throwTypeError(exec, scope, "Invalid mix of BigInt and other type in subtraction."_s);
@@ -369 +371 @@
 
     if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
-        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric))
+        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
+            scope.release();
             return JSBigInt::multiply(state, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+        }
 
         throwTypeError(state, scope, "Invalid mix of BigInt and other type in multiplication."_s);