Skip to site navigation (Press enter)

[webkit-changes] [252767] trunk/Source/JavaScriptCore

mark . lam Fri, 22 Nov 2019 03:34:22 -0800

Title: [252767] trunk/Source/_javascript_Core

Revision: 252767
Author: mark....@apple.com
Date: 2019-11-22 03:32:43 -0800 (Fri, 22 Nov 2019)

Log Message

Fix missing exception check in replaceUsingStringSearch().
https://bugs.webkit.org/show_bug.cgi?id=204496


Reviewed by Yusuke Suzuki.

The CachedCall constructor can throw OutOfMemory or StackOverflow errors.
This was caught by existing JSC stress tests when we run with a debug build.

Also placate the exception check validator in $vm's functionCallWithStackSize().

* runtime/StringPrototype.cpp:
(JSC::replaceUsingStringSearch):
* tools/JSDollarVM.cpp:
(JSC::functionCallWithStackSize):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/StringPrototype.cpp
trunk/Source/_javascript_Core/tools/JSDollarVM.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (252766 => 252767)


--- trunk/Source/_javascript_Core/ChangeLog	2019-11-22 09:39:04 UTC (rev 252766)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-11-22 11:32:43 UTC (rev 252767)
@@ -1,3 +1,20 @@
+2019-11-22  Mark Lam  <mark....@apple.com>
+
+        Fix missing exception check in replaceUsingStringSearch().
+        https://bugs.webkit.org/show_bug.cgi?id=204496
+
+        Reviewed by Yusuke Suzuki.
+
+        The CachedCall constructor can throw OutOfMemory or StackOverflow errors.
+        This was caught by existing JSC stress tests when we run with a debug build.
+
+        Also placate the exception check validator in $vm's functionCallWithStackSize().
+
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingStringSearch):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCallWithStackSize):
+
 2019-11-21  Mark Lam  <mark....@apple.com>
 
         replaceUsingStringSearch() should not use CachedCall with host functions.

Modified: trunk/Source/_javascript_Core/runtime/StringPrototype.cpp (252766 => 252767)


--- trunk/Source/_javascript_Core/runtime/StringPrototype.cpp	2019-11-22 09:39:04 UTC (rev 252766)
+++ trunk/Source/_javascript_Core/runtime/StringPrototype.cpp	2019-11-22 11:32:43 UTC (rev 252767)
@@ -795,6 +795,7 @@
         RETURN_IF_EXCEPTION(scope, nullptr);
     } else if (callType == CallType::JS) {
         cachedCall.emplace(globalObject, callFrame, jsCast<JSFunction*>(replaceValue), 3);
+        RETURN_IF_EXCEPTION(scope, nullptr);
         cachedCall->setThis(jsUndefined());
     }

Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (252766 => 252767)


--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp	2019-11-22 09:39:04 UTC (rev 252766)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp	2019-11-22 11:32:43 UTC (rev 252767)
@@ -2102,6 +2102,7 @@
     RELEASE_ASSERT(vm.softStackLimit() == originalVMSoftStackLimit);
     RELEASE_ASSERT(vm.stackLimit() == originalVMStackLimit);
 
+    throwScope.release();
     return encodedJSUndefined();
 
 #else // not ENABLE(MASM_PROBE)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes