Attachment 369392 Details for Bug 197693 – Patch

[patch] Patch

bug-197693-20190508185048.patch (text/plain), 3.53 KB, created by Tadeu Zagallo on 2019-05-08 09:50:58 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Tadeu Zagallo

Created: 2019-05-08 09:50:58 PDT

Size: 3.53 KB

patch

obsolete

>Subversion Revision: 244956
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 7d960395584de6aa830c033c9f0c21d4162c62f6..38bdce8b06d5c011ea148b76f97f4239106d83f9 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,17 @@
>+2019-05-08  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        JSObject::getOwnPropertyDescriptor is missing an exception check
>+        https://bugs.webkit.org/show_bug.cgi?id=197693
>+        <rdar://problem/50441784>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        The method table call to getOwnPropertySlot might throw, and JSObject::getOwnPropertyDescriptor
>+        must handle the exception before calling PropertySlot::getValue, which can also throw.
>+
>+        * runtime/JSObject.cpp:
>+        (JSC::JSObject::getOwnPropertyDescriptor):
>+
> 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
> 
>         TypedArrays should not store properties that are canonical numeric indices
>diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
>index 8d3a0e703cd7da017e7044b45bf0c1bb4e8119fe..6e3b914f4c3c328ec7a18fa09a6c9c8e7b4c16bc 100644
>--- a/Source/JavaScriptCore/runtime/JSObject.cpp
>+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
>@@ -3441,8 +3441,12 @@ static JSCustomGetterSetterFunction* getCustomGetterSetterFunctionForGetterSette
> bool JSObject::getOwnPropertyDescriptor(ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
> {
>     VM& vm = exec->vm();
>+    auto scope = DECLARE_THROW_SCOPE(vm);
>     JSC::PropertySlot slot(this, PropertySlot::InternalMethodType::GetOwnProperty);
>-    if (!methodTable(vm)->getOwnPropertySlot(this, exec, propertyName, slot))
>+
>+    bool result = methodTable(vm)->getOwnPropertySlot(this, exec, propertyName, slot);
>+    ASSERT(!scope.exception() || !result);
>+    if (!result)
>         return false;
> 
>     // DebuggerScope::getOwnPropertySlot() (and possibly others) may return attributes from the prototype chain
>@@ -3490,7 +3494,7 @@ bool JSObject::getOwnPropertyDescriptor(ExecState* exec, PropertyName propertyNa
>             descriptor.setSetter(getCustomGetterSetterFunctionForGetterSetter(exec, propertyName, getterSetter, JSCustomGetterSetterFunction::Type::Setter));
>     } else
>         descriptor.setDescriptor(slot.getValue(exec, propertyName), slot.attributes());
>-    return true;
>+    RELEASE_AND_RETURN(scope, true);
> }
> 
> static bool putDescriptor(ExecState* exec, JSObject* target, PropertyName propertyName, const PropertyDescriptor& descriptor, unsigned attributes, const PropertyDescriptor& oldDescriptor)
>diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
>index c2316a6960e6628407f9cdb7dc3efee2b59cc899..32c2c923ddf37b6f28e25a7f29c01171261a8d93 100644
>--- a/JSTests/ChangeLog
>+++ b/JSTests/ChangeLog
>@@ -1,3 +1,14 @@
>+2019-05-08  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        JSObject::getOwnPropertyDescriptor is missing an exception check
>+        https://bugs.webkit.org/show_bug.cgi?id=197693
>+        <rdar://problem/50441784>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * stress/proxy-spread.js: Added.
>+        (foo):
>+
> 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
> 
>         TypedArrays should not store properties that are canonical numeric indices
>diff --git a/JSTests/stress/proxy-spread.js b/JSTests/stress/proxy-spread.js
>new file mode 100644
>index 0000000000000000000000000000000000000000..e8fd788c3a875b729a05f397d06b2f65ac8671fa
>--- /dev/null
>+++ b/JSTests/stress/proxy-spread.js
>@@ -0,0 +1,3 @@
>+function foo() {}
>+let p = new Proxy(foo, {});
>+let a = {...p};

Actions: View | Formatted Diff | Diff

Attachments on bug 197693: 369392 | 369399 | 369407 | 369421 | 369450 | 369719