Modified: trunk/JSTests/ChangeLog (278433 => 278434)
--- trunk/JSTests/ChangeLog 2021-06-04 00:14:52 UTC (rev 278433)
+++ trunk/JSTests/ChangeLog 2021-06-04 00:19:11 UTC (rev 278434)
@@ -1,3 +1,13 @@
+2021-06-03 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Make $vm's accessor test functions robust against primitive |this|
+ https://bugs.webkit.org/show_bug.cgi?id=226591
+
+ Reviewed by Saam Barati.
+
+ * stress/test-static-accessor-on-primitive.js: Added.
+ (shouldThrow):
+
2021-05-28 Robin Morisset <rmoris...@apple.com>
Fix LikelyDenseUnsignedIntegerSet::clear()
Added: trunk/JSTests/stress/test-static-accessor-on-primitive.js (0 => 278434)
--- trunk/JSTests/stress/test-static-accessor-on-primitive.js (rev 0)
+++ trunk/JSTests/stress/test-static-accessor-on-primitive.js 2021-06-04 00:19:11 UTC (rev 278434)
@@ -0,0 +1,20 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldThrow(() => {
+ Object.setPrototypeOf(Number.prototype, $vm.createStaticCustomAccessor());
+ let z = 0;
+ z.testStaticAccessor;
+}, `TypeError: Type error`);
Modified: trunk/Source/_javascript_Core/ChangeLog (278433 => 278434)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-04 00:14:52 UTC (rev 278433)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-04 00:19:11 UTC (rev 278434)
@@ -1,3 +1,15 @@
+2021-06-03 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Make $vm's accessor test functions robust against primitive |this|
+ https://bugs.webkit.org/show_bug.cgi?id=226591
+
+ Reviewed by Saam Barati.
+
+ These functions are testing-purpose, and they are not robust against passing primitive as |this|.
+ This patch makes them robust so that we throw an error instead of crash.
+
+ * tools/JSDollarVM.cpp:
+
2021-06-03 Commit Queue <commit-qu...@webkit.org>
Unreviewed, reverting r278356.
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (278433 => 278434)
--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2021-06-04 00:14:52 UTC (rev 278433)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2021-06-04 00:19:11 UTC (rev 278434)
@@ -702,9 +702,11 @@
{
DollarVMAssertScope assertScope;
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
- RELEASE_ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
if (JSValue result = thisObject->getDirect(vm, PropertyName(Identifier::fromString(vm, "testField"))))
return JSValue::encode(result);
@@ -715,9 +717,11 @@
{
DollarVMAssertScope assertScope;
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
- RELEASE_ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
return thisObject->putDirect(vm, PropertyName(Identifier::fromString(vm, "testField")), JSValue::decode(value));
}
@@ -785,9 +789,11 @@
{
DollarVMAssertScope assertScope;
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
- RELEASE_ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
return thisObject->putDirect(vm, PropertyName(Identifier::fromString(vm, "testStaticValue")), JSValue::decode(value));
}
@@ -1027,8 +1033,10 @@
{
DollarVMAssertScope assertScope;
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
DOMJITNode* thisObject = jsDynamicCast<DOMJITNode*>(vm, JSValue::decode(thisValue));
- ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
return JSValue::encode(jsNumber(thisObject->value()));
}
@@ -1125,8 +1133,10 @@
{
DollarVMAssertScope assertScope;
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
DOMJITNode* thisObject = jsDynamicCast<DOMJITNode*>(vm, JSValue::decode(thisValue));
- ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
return JSValue::encode(jsNumber(thisObject->value()));
}
@@ -1230,7 +1240,8 @@
auto scope = DECLARE_THROW_SCOPE(vm);
auto* thisObject = jsDynamicCast<DOMJITGetterComplex*>(vm, JSValue::decode(thisValue));
- ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
if (thisObject->m_enableException)
return JSValue::encode(throwException(globalObject, scope, createError(globalObject, "DOMJITGetterComplex slow call exception"_s)));
return JSValue::encode(jsNumber(thisObject->value()));
@@ -1489,8 +1500,10 @@
{
DollarVMAssertScope assertScope;
VM& vm = globalObject->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
- RELEASE_ASSERT(thisObject);
+ if (!thisObject)
+ return throwVMTypeError(globalObject, scope);
return JSValue::encode(thisObject->getPrototypeDirect(vm));
}
