Changeset 244136 in webkit

Timestamp:

Apr 10, 2019 11:05:00 AM (5 years ago)

Author:

rmorisset@apple.com

Message:

We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
​https://bugs.webkit.org/show_bug.cgi?id=196746

JSTests:

Reviewed by Yusuke Suzuki.

• stress/cyclic-define-properties.js: Added.

(foo):

Source/JavaScriptCore:

Reviewed by Yusuke Suzuki..

It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.

• runtime/ObjectConstructor.cpp:

(JSC::defineProperties):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/cyclic-define-properties.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-04-10  Robin Morisset  <rmorisset@apple.com>
+
+        We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=196746
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/cyclic-define-properties.js: Added.
+        (foo):
+
 2019-04-09  Saam barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-04-10  Robin Morisset  <rmorisset@apple.com>
+
+        We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=196746
+
+        Reviewed by Yusuke Suzuki..
+
+        It should be safe as in that case we are not completing the operation, and so not going to have any buffer overflow.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::defineProperties):
+
 2019-04-10  Antoine Quint  <graouts@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -607 +607 @@
     Vector<PropertyDescriptor> descriptors;
     MarkedArgumentBuffer markBuffer;
+#define RETURN_IF_EXCEPTION_CLEARING_OVERFLOW(value) do { \
+    if (scope.exception()) { \
+        markBuffer.overflowCheckNotNeeded(); \
+        return value; \
+    } \
+} while (false)
     for (size_t i = 0; i < numProperties; i++) {
         JSValue prop = properties->get(exec, propertyNames[i]);
-        RETURN_IF_EXCEPTION(scope, { });
+        RETURN_IF_EXCEPTION_CLEARING_OVERFLOW({ });
         PropertyDescriptor descriptor;
-        bool success = toPropertyDescriptor(exec, prop, descriptor);
-        EXCEPTION_ASSERT(!scope.exception() || !success);
-        if (UNLIKELY(!success)) {
-            markBuffer.overflowCheckNotNeeded();
-            return jsNull();
-        }
+        toPropertyDescriptor(exec, prop, descriptor);
+        RETURN_IF_EXCEPTION_CLEARING_OVERFLOW({ });
         descriptors.append(descriptor);
         // Ensure we mark all the values that we're accumulating
@@ -629 +631 @@
     }
     RELEASE_ASSERT(!markBuffer.hasOverflowed());
+#undef RETURN_IF_EXCEPTION_CLEARING_OVERFLOW
     for (size_t i = 0; i < numProperties; i++) {
         auto& propertyName = propertyNames[i];