WebKit Bugzilla
Attachment 343667 Details for
Bug 187074
: eval() is wrong about the LiteralParser never throwing any exceptions.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-187074.patch (text/plain), 2.89 KB, created by
Mark Lam
on 2018-06-26 17:59:32 PDT
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-06-26 17:59:32 PDT
Size:
2.89 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 233234) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-06-26 Mark Lam <mark.lam@apple.com> >+ >+ eval() is wrong about the LiteralParser never throwing any exceptions. >+ https://bugs.webkit.org/show_bug.cgi?id=187074 >+ <rdar://problem/41461099> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-187074.js: Added. >+ > 2018-06-26 Mark Lam <mark.lam@apple.com> > > ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). >Index: JSTests/stress/regress-187074.js >=================================================================== >--- JSTests/stress/regress-187074.js (nonexistent) >+++ JSTests/stress/regress-187074.js (working copy) >@@ -0,0 +1,20 @@ >+// This test should not crash. >+var done = false; >+ >+function runNearStackLimit(f) { >+ function t() { >+ try { >+ return t(); >+ } catch (e) { >+ if (!done) >+ return f(); >+ } >+ } >+ return t() >+} >+ >+runNearStackLimit(() => { >+ done = true; >+ eval("({ __proto__ : [], __proto__: {} })") >+}); >+ >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 233227) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2018-06-26 Mark Lam <mark.lam@apple.com> >+ >+ eval() is wrong about the LiteralParser never throwing any exceptions. >+ https://bugs.webkit.org/show_bug.cgi?id=187074 >+ <rdar://problem/41461099> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Added the missing exception check, and removed an erroneous assertion. >+ >+ * interpreter/Interpreter.cpp: >+ (JSC::eval): >+ > 2018-06-26 Mark Lam <mark.lam@apple.com> > > ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). >Index: Source/JavaScriptCore/interpreter/Interpreter.cpp >=================================================================== >--- Source/JavaScriptCore/interpreter/Interpreter.cpp (revision 233227) >+++ Source/JavaScriptCore/interpreter/Interpreter.cpp (working copy) >@@ -154,11 +154,9 @@ JSValue eval(CallFrame* callFrame) > return parsedObject; > } > } >+ RETURN_IF_EXCEPTION(scope, JSValue()); > } > >- // If the literal parser bailed, it should not have thrown exceptions. >- scope.assertNoException(); >- > VariableEnvironment variablesUnderTDZ; > JSScope::collectClosureVariablesUnderTDZ(callerScopeChain, variablesUnderTDZ); > eval = DirectEvalExecutable::create(callFrame, makeSource(programSource, callerCodeBlock->source()->sourceOrigin()), callerCodeBlock->isStrictMode(), derivedContextType, isArrowFunctionContext, evalContextType, &variablesUnderTDZ);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343667">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187074
: 343667