Changeset 36842 in webkit for trunk/JavaScriptCore/kjs

Timestamp:

Sep 23, 2008, 11:44:11 PM (17 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2008-09-23 Geoffrey Garen <​[email protected]>

Reviewed by Oliver Hunt.

Fixed ​https://bugs.webkit.org/show_bug.cgi?id=21038 | <rdar://problem/6240812>
Uncaught exceptions in regex replace callbacks crash webkit

This was a combination of two problems:

(1) the replace function would continue execution after an exception
had been thrown.

(2) In some cases, the Machine would return 0 in the case of an exception,
despite the fact that a few clients dereference the Machine's return
value without first checking for an exception.

• VM/Machine.cpp: (JSC::Machine::execute):

^{Return jsNull() instead of 0 in the case of an exception, since some
clients depend on using our return value.}

^{ASSERT that execution does not continue after an exception has been
thrown, to help catch problems like this in the future.}

• kjs/StringPrototype.cpp: (JSC::stringProtoFuncReplace):

^{Stop execution if an exception has been thrown.}

LayoutTests:

2008-09-23 Geoffrey Garen <​[email protected]>

Reviewed by Oliver Hunt.

Test for ​https://bugs.webkit.org/show_bug.cgi?id=21038
Uncaught exceptions in regex replace callbacks crash webkit

• fast/js/string-replace-exception-crash-expected.txt: Added.
• fast/js/string-replace-exception-crash.html: Added.

File:

• trunk/JavaScriptCore/kjs/StringPrototype.cpp (modified) (1 diff)

trunk/JavaScriptCore/kjs/StringPrototype.cpp

@@ -258 +258 @@
 
                 replacements.append(call(exec, replacement, callType, callData, exec->globalThisValue(), args)->toString(exec));
+                if (exec->hadException())
+                    break;
             } else
                 replacements.append(substituteBackreferences(replacementString, source, ovector, reg));