Ignore:
Timestamp:
Feb 22, 2016, 4:51:02 PM (9 years ago)
Author:
[email protected]
Message:

InternalFunction::createSubclassStructure doesn't take into account that get() might throw
https://bugs.webkit.org/show_bug.cgi?id=154548

Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.

InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw
an exception. Neither the function nor the call sites of the function took this into
account. This patch audits the call sites of the function to make it work in
the event that an exception is thrown.

  • runtime/BooleanConstructor.cpp:

(JSC::constructWithBooleanConstructor):

  • runtime/DateConstructor.cpp:

(JSC::constructDate):

  • runtime/ErrorConstructor.cpp:

(JSC::Interpreter::constructWithErrorConstructor):

  • runtime/FunctionConstructor.cpp:

(JSC::constructFunctionSkippingEvalEnabledCheck):

  • runtime/InternalFunction.cpp:

(JSC::InternalFunction::createSubclassStructure):

  • runtime/JSArrayBufferConstructor.cpp:

(JSC::constructArrayBuffer):

  • runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayView):

  • runtime/JSGlobalObject.h:

(JSC::constructEmptyArray):
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):

  • runtime/JSPromiseConstructor.cpp:

(JSC::constructPromise):

  • runtime/MapConstructor.cpp:

(JSC::constructMap):

  • runtime/NativeErrorConstructor.cpp:

(JSC::Interpreter::constructWithNativeErrorConstructor):

  • runtime/NumberConstructor.cpp:

(JSC::constructWithNumberConstructor):

  • runtime/RegExpConstructor.cpp:

(JSC::getRegExpStructure):
(JSC::constructRegExp):
(JSC::constructWithRegExpConstructor):

  • runtime/SetConstructor.cpp:

(JSC::constructSet):

  • runtime/StringConstructor.cpp:

(JSC::constructWithStringConstructor):
(JSC::StringConstructor::getConstructData):

  • runtime/WeakMapConstructor.cpp:

(JSC::constructWeakMap):

  • runtime/WeakSetConstructor.cpp:

(JSC::constructWeakSet):

  • tests/stress/create-subclass-structure-might-throw.js: Added.

(assert):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

    r196950 r196966  
    732732    else
    733733        structure = globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget);
     734    if (exec->hadException())
     735        return nullptr;
    734736
    735737    return ArrayAllocationProfile::updateLastAllocationFor(profile, JSArray::create(exec->vm(), structure, initialLength));
     
    743745inline JSArray* constructArray(ExecState* exec, ArrayAllocationProfile* profile, JSGlobalObject* globalObject, const ArgList& values, JSValue newTarget = JSValue())
    744746{
    745     return ArrayAllocationProfile::updateLastAllocationFor(profile, constructArray(exec, globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget), values));
     747    Structure* structure = globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget);
     748    if (exec->hadException())
     749        return nullptr;
     750    return ArrayAllocationProfile::updateLastAllocationFor(profile, constructArray(exec, structure, values));
    746751}
    747752
     
    753758inline JSArray* constructArray(ExecState* exec, ArrayAllocationProfile* profile, JSGlobalObject* globalObject, const JSValue* values, unsigned length, JSValue newTarget = JSValue())
    754759{
    755     return ArrayAllocationProfile::updateLastAllocationFor(profile, constructArray(exec, globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget), values, length));
     760    Structure* structure = globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget);
     761    if (exec->hadException())
     762        return nullptr;
     763    return ArrayAllocationProfile::updateLastAllocationFor(profile, constructArray(exec, structure, values, length));
    756764}
    757765
     
    763771inline JSArray* constructArrayNegativeIndexed(ExecState* exec, ArrayAllocationProfile* profile, JSGlobalObject* globalObject, const JSValue* values, unsigned length, JSValue newTarget = JSValue())
    764772{
    765     return ArrayAllocationProfile::updateLastAllocationFor(profile, constructArrayNegativeIndexed(exec, globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget), values, length));
     773    Structure* structure = globalObject->arrayStructureForProfileDuringAllocation(exec, profile, newTarget);
     774    if (exec->hadException())
     775        return nullptr;
     776    return ArrayAllocationProfile::updateLastAllocationFor(profile, constructArrayNegativeIndexed(exec, structure, values, length));
    766777}
    767778
Note: See TracChangeset for help on using the changeset viewer.