Changeset 242500 in webkit

Timestamp:

Mar 5, 2019 1:20:33 PM (5 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Should check exception for JSString::toExistingAtomicString
​https://bugs.webkit.org/show_bug.cgi?id=195337

Reviewed by Keith Miller, Saam Barati, and Mark Lam.

We missed the exception check for JSString::toExistingAtomicString while it can resolve
a rope and throw an OOM exception. This patch adds necessary exception checks. This patch
fixes test failures in debug build, reported in ​https://bugs.webkit.org/show_bug.cgi?id=194375#c93.

• dfg/DFGOperations.cpp:
• jit/JITOperations.cpp:

(JSC::getByVal):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::getByVal):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (3 diffs)
• jit/JITOperations.cpp (modified) (1 diff)
• llint/LLIntSlowPaths.cpp (modified) (1 diff)
• runtime/CommonSlowPaths.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-03-05  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Should check exception for JSString::toExistingAtomicString
+        https://bugs.webkit.org/show_bug.cgi?id=195337
+
+        Reviewed by Keith Miller, Saam Barati, and Mark Lam.
+
+        We missed the exception check for JSString::toExistingAtomicString while it can resolve
+        a rope and throw an OOM exception. This patch adds necessary exception checks. This patch
+        fixes test failures in debug build, reported in https://bugs.webkit.org/show_bug.cgi?id=194375#c93.
+
+        * dfg/DFGOperations.cpp:
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::getByVal):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -690 +690 @@
             Structure& structure = *base->structure(vm);
             if (JSCell::canUseFastGetOwnProperty(structure)) {
-                if (RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec)) {
+                RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+                if (existingAtomicString) {
                     if (JSValue result = base->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                         return JSValue::encode(result);
@@ -725 +727 @@
         Structure& structure = *base->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(property)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            if (existingAtomicString) {
                 if (JSValue result = base->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return JSValue::encode(result);
@@ -1446 +1450 @@
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return JSValue::encode(result);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1807 +1807 @@
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, JSValue());
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get())) {
                     ASSERT(exec->bytecodeOffset());

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -943 +943 @@
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            RETURN_IF_EXCEPTION(scope, JSValue());
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return result;

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -1126 +1126 @@
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
-            if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+            RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec);
+            CHECK_EXCEPTION();
+            if (existingAtomicString) {
                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     RETURN_PROFILED(result);