Changeset 221849 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.cpp

Timestamp:

Sep 10, 2017, 11:23:39 PM (8 years ago)

Author:

[email protected]

Message:

Fix all ExceptionScope verification failures in JavaScriptCore.
​https://bugs.webkit.org/show_bug.cgi?id=176662
<rdar://problem/34352085>

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope verification for release builds too (though this requires manually setting ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).

This is useful because it allows us to run the tests more quickly to check
if any regressions have occurred. Debug builds run so much slower and not
good for a quick turn around. Debug builds are necessary though to get
trace information without inlining by the C++ compiler. This is necessary to
diagnose where the missing exception check is.

2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last simulated throw when an exception scope verification fails.

Previously, this option dumps the stack trace on all simulated throws. That
turned out to not be very useful, and slows down the debugging process.
Instead, the new implementation captures the stack trace and only dumps it
if we have a verification failure.

3. Fixed missing exception checks and book-keeping needed to allow the JSC tests to pass with JSC_validateExceptionChecks=true.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• dfg/DFGOSRExit.cpp:

(JSC::DFG::OSRExit::executeOSRExit):

• dfg/DFGOperations.cpp:
• interpreter/Interpreter.cpp:

(JSC::eval):
(JSC::loadVarargs):
(JSC::Interpreter::unwind):
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):

• jit/JITOperations.cpp:

(JSC::getByVal):

• jsc.cpp:

(WTF::CustomGetter::customGetterAcessor):
(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderResolve):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::getByVal):
(JSC::LLInt::setUpCall):

• parser/Parser.h:

(JSC::Parser::popScopeInternal):

• runtime/AbstractModuleRecord.cpp:

(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::resolveExportImpl):
(JSC::getExportedNames):
(JSC::AbstractModuleRecord::getModuleNamespace):

• runtime/ArrayPrototype.cpp:

(JSC::getProperty):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
(JSC::arrayProtoPrivateFuncAppendMemcpy):

• runtime/CatchScope.h:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/DatePrototype.cpp:

(JSC::dateProtoFuncSetTime):
(JSC::setNewValueFromTimeArgs):

• runtime/DirectArguments.h:

(JSC::DirectArguments::length const):

• runtime/ErrorPrototype.cpp:

(JSC::errorProtoFuncToString):

• runtime/ExceptionFuzz.cpp:

(JSC::doExceptionFuzzing):

• runtime/ExceptionScope.h:

(JSC::ExceptionScope::needExceptionCheck):
(JSC::ExceptionScope::assertNoException):

• runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::defineOwnProperty):

• runtime/HashMapImpl.h:

(JSC::HashMapImpl::rehash):

• runtime/IntlDateTimeFormat.cpp:

(JSC::IntlDateTimeFormat::formatToParts):

• runtime/JSArray.cpp:

(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::put):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):

• runtime/JSCJSValueInlines.h:

(JSC::JSValue::toIndex const):
(JSC::JSValue::get const):
(JSC::JSValue::getPropertySlot const):
(JSC::JSValue::equalSlowCaseInline):

• runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::set):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::put):

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::decode):
(JSC::globalFuncEval):
(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
(JSC::globalFuncImportModule):

• runtime/JSInternalPromise.cpp:

(JSC::JSInternalPromise::then):

• runtime/JSInternalPromiseDeferred.cpp:

(JSC::JSInternalPromiseDeferred::create):

• runtime/JSJob.cpp:

(JSC::JSJobMicrotask::run):

• runtime/JSModuleEnvironment.cpp:

(JSC::JSModuleEnvironment::getOwnPropertySlot):
(JSC::JSModuleEnvironment::put):
(JSC::JSModuleEnvironment::deleteProperty):

• runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::provide):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):

• runtime/JSModuleRecord.cpp:

(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):

• runtime/JSONObject.cpp:

(JSC::Stringifier::stringify):
(JSC::Stringifier::toJSON):
(JSC::JSONProtoFuncParse):

• runtime/JSObject.cpp:

(JSC::JSObject::calculatedClassName):
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::ordinaryToPrimitive const):
(JSC::JSObject::toPrimitive const):
(JSC::JSObject::hasInstance):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::toNumber const):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::validateAndApplyPropertyDescriptor):
(JSC::JSObject::defineOwnNonIndexProperty):
(JSC::JSObject::getGenericPropertyNames):

• runtime/JSObject.h:

(JSC::JSObject::get const):

• runtime/JSObjectInlines.h:

(JSC::JSObject::getPropertySlot const):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
(JSC::JSObject::putInlineForJSObject):

• runtime/JSPromiseConstructor.cpp:

(JSC::constructPromise):

• runtime/JSPromiseDeferred.cpp:

(JSC::JSPromiseDeferred::create):

• runtime/JSScope.cpp:

(JSC::abstractAccess):
(JSC::JSScope::resolve):
(JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
(JSC::JSScope::abstractResolve):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::tryJSONPParse):
(JSC::LiteralParser<CharType>::parse):

• runtime/Lookup.h:

(JSC::putEntry):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/NumberPrototype.cpp:

(JSC::numberProtoFuncToString):

• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorGetOwnPropertyDescriptors):
(JSC::objectConstructorAssign):
(JSC::objectConstructorValues):
(JSC::toPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
(JSC::defineProperties):
(JSC::objectConstructorDefineProperties):
(JSC::ownPropertyKeys):

• runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString):

• runtime/Options.h:
• runtime/ParseInt.h:

(JSC::toStringView):

• runtime/ProxyObject.cpp:

(JSC::performProxyGet):
(JSC::ProxyObject::performPut):

• runtime/ReflectObject.cpp:

(JSC::reflectObjectDefineProperty):

• runtime/RegExpConstructor.cpp:

(JSC::toFlags):
(JSC::regExpCreate):
(JSC::constructRegExp):

• runtime/RegExpObject.cpp:

(JSC::collectMatches):

• runtime/RegExpObjectInlines.h:

(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):

• runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncTestFast):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncMatchFast):
(JSC::regExpProtoFuncToString):
(JSC::regExpProtoFuncSplitFast):

• runtime/ScriptExecutable.cpp:

(JSC::ScriptExecutable::newCodeBlockFor):
(JSC::ScriptExecutable::prepareForExecutionImpl):

• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/ThrowScope.cpp:

(JSC::ThrowScope::simulateThrow):

• runtime/VM.cpp:

(JSC::VM::verifyExceptionCheckNeedIsSatisfied):

• runtime/VM.h:
• runtime/WeakMapPrototype.cpp:

(JSC::protoFuncWeakMapSet):

• runtime/WeakSetPrototype.cpp:

(JSC::protoFuncWeakSetAdd):

• wasm/js/WebAssemblyModuleConstructor.cpp:

(JSC::WebAssemblyModuleConstructor::createModule):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):

• wasm/js/WebAssemblyPrototype.cpp:

(JSC::reject):
(JSC::webAssemblyCompileFunc):
(JSC::resolve):
(JSC::webAssemblyInstantiateFunc):

Source/WebCore:

No new tests because this is covered by existing tests with the JSC_validateExceptionChecks=true enabled.

• bindings/js/JSCustomElementInterface.cpp:

(WebCore::JSCustomElementInterface::tryToConstructCustomElement):

• bindings/js/JSCustomElementRegistryCustom.cpp:

(WebCore::whenDefinedPromise):

• bindings/js/JSDOMConvertRecord.h:
• bindings/js/JSDOMMapLike.cpp:

(WebCore::createBackingMap):

• bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::DeferredPromise::callFunction):
(WebCore::DeferredPromise::reject):

• bindings/js/JSDOMPromiseDeferred.h:

(WebCore::callPromiseFunction):

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.cpp (modified) (29 diffs)

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -536 +536 @@
     PropertyName constructor(vm.propertyNames->constructor);
     if (object->getPropertySlot(exec, constructor, slot)) {
+        EXCEPTION_ASSERT(!scope.exception());
         if (slot.isValue()) {
             JSValue constructorValue = slot.getValue(exec, constructor);
@@ -550 +551 @@
         }
     }
-    ASSERT(!scope.exception() || prototypeFunctionName.isNull());
+    EXCEPTION_ASSERT(!scope.exception() || prototypeFunctionName.isNull());
     if (UNLIKELY(scope.exception()))
         scope.clearException();
@@ -659 +660 @@
             ProxyObject* proxy = jsCast<ProxyObject*>(current);
             PutPropertySlot slot(receiver, shouldThrow);
+            scope.release();
             return proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
         }
@@ -717 +719 @@
 
             // 9.1.9.1-4-d-iv Return ? Receiver.[[DefineOwnProperty]](P, valueDesc).
+            scope.release();
             return receiverObject->methodTable(vm)->defineOwnProperty(receiverObject, exec, propertyName, valueDescriptor, shouldThrow);
         }
@@ -722 +725 @@
         // 9.1.9.1-4-e Else Receiver does not currently have a property P,
         // 9.1.9.1-4-e-i Return ? CreateDataProperty(Receiver, P, V).
+        scope.release();
         return receiverObject->methodTable(vm)->defineOwnProperty(receiverObject, exec, propertyName, PropertyDescriptor(value, None), shouldThrow);
     }
@@ -741 +745 @@
     CallData callData;
     CallType callType = setterObject->methodTable(vm)->getCallData(setterObject, callData);
+    scope.release();
     call(exec, setterObject, callType, callData, receiver, args);
 
@@ -773 +778 @@
             if (gs.isGetterSetter()) {
                 bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+                RETURN_IF_EXCEPTION(scope, false);
                 if (!structure()->isDictionary())
                     slot.setCacheableSetter(obj, offset);
@@ -793 +799 @@
         if (!obj->staticPropertiesReified()) {
             if (obj->classInfo(vm)->hasStaticSetterOrReadonlyProperties()) {
-                if (auto entry = obj->findPropertyHashEntry(vm, propertyName))
+                if (auto entry = obj->findPropertyHashEntry(vm, propertyName)) {
+                    scope.release();
                     return putEntry(exec, entry->table->classForThis, entry->value, obj, this, propertyName, value, slot);
+                }
             }
         }
@@ -802 +810 @@
             // https://bugs.webkit.org/show_bug.cgi?id=155012
             ProxyObject* proxy = jsCast<ProxyObject*>(obj);
+            scope.release();
             return proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
         }
@@ -1948 +1957 @@
     if (hint == PreferString) {
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->toString, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->valueOf, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
     } else {
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->valueOf, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
         value = callToPrimitiveFunction(exec, this, vm.propertyNames->toString, hint);
-        ASSERT(!scope.exception() || scope.exception() == value.asCell());
+        EXCEPTION_ASSERT(!scope.exception() || scope.exception() == value.asCell());
         if (value)
             return value;
@@ -1986 +1995 @@
         return value;
 
+    scope.release();
     return this->methodTable(vm)->defaultValue(this, exec, preferredType);
 }
@@ -2047 +2057 @@
         JSValue prototype = get(exec, vm.propertyNames->prototype);
         RETURN_IF_EXCEPTION(scope, false);
+        scope.release();
         return defaultHasInstance(exec, value, prototype);
     }
-    if (info.implementsHasInstance())
+    if (info.implementsHasInstance()) {
+        scope.release();
         return methodTable(vm)->customHasInstance(this, exec, value);
+    }
     throwException(exec, scope, createInvalidInstanceofParameterErrorNotFunction(exec, this));
     return false;
@@ -2062 +2075 @@
     RETURN_IF_EXCEPTION(scope, false);
 
+    scope.release();
     return hasInstance(exec, value, hasInstanceValue);
 }
@@ -2114 +2128 @@
     while(1) {
         if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
+            scope.release();
             prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
-            break;
+            return;
         }
         prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);
@@ -2222 +2237 @@
     JSValue primitive = toPrimitive(exec, PreferNumber);
     RETURN_IF_EXCEPTION(scope, 0.0); // should be picked up soon in Nodes.cpp
+    scope.release();
     return primitive.toNumber(exec);
 }
@@ -2389 +2405 @@
         if (!descriptor.attributes() && descriptor.value() && canDoFastPutDirectIndex(this)) {
             ASSERT(!descriptor.isAccessorDescriptor());
+            scope.release();
             return putDirectIndex(exec, index, descriptor.value(), 0, throwException ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         }
@@ -2440 +2457 @@
     PropertyDescriptor current;
     entryInMap->get(current);
-    if (descriptor.isEmpty() || descriptor.equalTo(exec, current))
+    bool isEmptyOrEqual = descriptor.isEmpty() || descriptor.equalTo(exec, current);
+    RETURN_IF_EXCEPTION(scope, false);
+    if (isEmptyOrEqual)
         return true;
 
@@ -2575 +2594 @@
         SparseArrayValueMap* map = allocateSparseIndexMap(vm);
         bool result = map->putEntry(exec, this, i, value, false);
+        RETURN_IF_EXCEPTION(scope, false);
         ASSERT(i >= arrayStorage()->length());
         arrayStorage()->setLength(i + 1);
@@ -2648 +2668 @@
         // We don't want to, or can't use a vector to hold this property - allocate a sparse map & add the value.
         map = allocateSparseIndexMap(vm);
+        scope.release();
         return map->putEntry(exec, this, i, value, shouldThrow);
     }
@@ -2664 +2685 @@
     // We will continue  to use a sparse map if SparseMode is set, a vector would be too sparse, or if allocation fails.
     unsigned numValuesInArray = storage->m_numValuesInVector + map->size();
-    if (map->sparseMode() || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length))
+    if (map->sparseMode() || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length)) {
+        scope.release();
         return map->putEntry(exec, this, i, value, shouldThrow);
+    }
 
     // Reread m_storage after increaseVectorLength, update m_numValuesInVector.
@@ -2784 +2807 @@
         // We don't want to, or can't use a vector to hold this property - allocate a sparse map & add the value.
         map = allocateSparseIndexMap(vm);
+        scope.release();
         return map->putDirect(exec, this, i, value, attributes, mode);
     }
@@ -2804 +2828 @@
     // We will continue  to use a sparse map if SparseMode is set, a vector would be too sparse, or if allocation fails.
     unsigned numValuesInArray = storage->m_numValuesInVector + map->size();
-    if (map->sparseMode() || attributes || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length))
+    if (map->sparseMode() || attributes || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(vm, length)) {
+        scope.release();
         return map->putDirect(exec, this, i, value, attributes, mode);
+    }
 
     // Reread m_storage after increaseVectorLength, update m_numValuesInVector.
@@ -3352 +3378 @@
         return true;
     // Step 4.
-    if (current.equalTo(exec, descriptor))
+    bool isEqual = current.equalTo(exec, descriptor);
+    RETURN_IF_EXCEPTION(scope, false);
+    if (isEqual)
         return true;
 
@@ -3369 +3397 @@
         if (!current.attributesEqual(descriptor) && object) {
             object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+            RETURN_IF_EXCEPTION(scope, false);
             return putDescriptor(exec, object, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
         }
@@ -3384 +3413 @@
 
         object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+        RETURN_IF_EXCEPTION(scope, false);
         return putDescriptor(exec, object, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
     }
@@ -3403 +3433 @@
             return true;
         object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+        RETURN_IF_EXCEPTION(scope, false);
         return putDescriptor(exec, object, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
     }
@@ -3448 +3479 @@
         return true;
     object->methodTable(vm)->deleteProperty(object, exec, propertyName);
+    RETURN_IF_EXCEPTION(scope, false);
     unsigned attrs = descriptor.attributesOverridingCurrent(current);
     object->putDirectAccessor(exec, propertyName, getterSetter, attrs | Accessor);
@@ -3467 +3499 @@
     bool isExtensible = this->isExtensible(exec);
     RETURN_IF_EXCEPTION(throwScope, false);
+    throwScope.release();
     return validateAndApplyPropertyDescriptor(exec, this, propertyName, isExtensible, descriptor, isCurrentDefined, current, throwException);
 }
@@ -3595 +3628 @@
     while (true) {
         if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
+            scope.release();
             prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
-            break;
+            return;
         }
         prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);