Changeset 33566 in webkit


Ignore:
Timestamp:
May 18, 2008 5:36:04 PM (16 years ago)
Author:
oliver@apple.com
Message:

Bug 18752: SQUIRRELFISH: exceptions are not always handled by the vm
<https://bugs.webkit.org/show_bug.cgi?id=18752>

Reviewed by Maciej

Handle exceptions thrown by toString conversion in subscript operators,
this should basically complete exception handling in SquirrelFish.

Sunspider reports no regression.

Location:
branches/squirrelfish
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • branches/squirrelfish/JavaScriptCore/ChangeLog

    r33563 r33566  
     12008-05-18  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Maciej.
     4
     5        Bug 18752: SQUIRRELFISH: exceptions are not always handled by the vm
     6        <https://bugs.webkit.org/show_bug.cgi?id=18752>
     7
     8        Handle exceptions thrown by toString conversion in subscript operators,
     9        this should basically complete exception handling in SquirrelFish.
     10
     11        Sunspider reports no regression.
     12
     13        * VM/Machine.cpp:
     14        (KJS::Machine::privateExecute):
     15
    1162008-05-17  Geoffrey Garen  <ggaren@apple.com>
    217

  • branches/squirrelfish/JavaScriptCore/VM/Machine.cpp

    r33563 r33566  
    13871387        if (propName->getUInt32(i))
    13881388            r[dst].u.jsValue = jsBoolean(baseObj->hasProperty(exec, i));
    1389         else
    1390             r[dst].u.jsValue = jsBoolean(baseObj->hasProperty(exec, Identifier(propName->toString(exec))));
     1389        else {
     1390            Identifier property(propName->toString(exec));
     1391            VM_CHECK_EXCEPTION();
     1392            r[dst].u.jsValue = jsBoolean(baseObj->hasProperty(exec, property));
     1393        }
    13911394
    13921395        ++vPC;
     
    15481551            result = baseObj->get(exec, i);
    15491552        else {
    1550             VM_CHECK_EXCEPTION(); // If toObject threw, we must not call toString, which may execute arbitrary code
    1551             result = baseObj->get(exec, Identifier(subscript->toString(exec)));
     1553            Identifier property;
     1554            if (subscript->isObject()) {
     1555                VM_CHECK_EXCEPTION(); // If toObject threw, we must not call toString, which may execute arbitrary code
     1556                property = Identifier(subscript->toString(exec));
     1557            } else
     1558                property = Identifier(subscript->toString(exec));
     1559
     1560            VM_CHECK_EXCEPTION(); // This check is needed to prevent us from incorrectly calling a getter after an exception is thrown
     1561            result = baseObj->get(exec, property);
    15521562        }
    15531563       
     
    15801590            baseObj->put(exec, i, r[value].u.jsValue);
    15811591        else {
    1582             VM_CHECK_EXCEPTION(); // If toObject threw, we must not call toString, which may execute arbitrary code
    1583             baseObj->put(exec, Identifier(subscript->toString(exec)), r[value].u.jsValue);
     1592            Identifier property;
     1593            if (subscript->isObject()) {
     1594                VM_CHECK_EXCEPTION(); // If toObject threw, we must not call toString, which may execute arbitrary code
     1595                property = Identifier(subscript->toString(exec));
     1596            } else
     1597                property = Identifier(subscript->toString(exec));
     1598
     1599            VM_CHECK_EXCEPTION(); // This check is needed to prevent us from incorrectly calling a setter after an exception is thrown
     1600            baseObj->put(exec, property, r[value].u.jsValue);
    15841601        }
    15851602       
     
    16091626        else {
    16101627            VM_CHECK_EXCEPTION(); // If toObject threw, we must not call toString, which may execute arbitrary code
    1611             result = jsBoolean(baseObj->deleteProperty(exec, Identifier(subscript->toString(exec))));
     1628            Identifier property(subscript->toString(exec));
     1629            VM_CHECK_EXCEPTION();
     1630            result = jsBoolean(baseObj->deleteProperty(exec, property));
    16121631        }
    16131632       

  • branches/squirrelfish/LayoutTests/ChangeLog

    r33562 r33566  
     12008-05-18  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Maciej.
     4
     5        Bug 18752: SQUIRRELFISH: exceptions are not always handled by the vm
     6        <https://bugs.webkit.org/show_bug.cgi?id=18752>
     7
     8        Test cases for subscript access that throw exceptions.
     9
     10        * fast/js/resources/tostring-exception-in-property-access.js: Added.
     11        * fast/js/tostring-exception-in-property-access-expected.txt: Added.
     12        * fast/js/tostring-exception-in-property-access.html: Added.
     13
    1142008-05-17  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
    215
Note: See TracChangeset for help on using the changeset viewer.