Bug 195791

Summary: [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch mark.lam: review+

Description Yusuke Suzuki 2019-03-14 20:36:28 PDT 
[JSC] Do not pass Symbol::privateName() directly to PropertyName without ref-ing it
Comment 1 Yusuke Suzuki 2019-03-14 20:38:15 PDT 
<rdar://problem/48806130>
Comment 2 Yusuke Suzuki 2019-03-14 21:08:01 PDT 
Created attachment 364768 [details]
Patch
Comment 3 Yusuke Suzuki 2019-03-14 21:08:03 PDT 
<rdar://problem/48806130>
Comment 4 Yusuke Suzuki 2019-03-14 22:06:43 PDT 
Created attachment 364770 [details]
Patch
Comment 5 Mark Lam 2019-03-14 22:36:12 PDT 
Comment on attachment 364770 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=364770&action=review

r=me with fixes.

> Source/JavaScriptCore/ChangeLog:19
> +        PropertyName can be accidentally destroyed in the middle of putByVal operation. We should retain PrivateName

/middle of putByVal/middle of the putByVal/

> Source/JavaScriptCore/ChangeLog:37
> +        3. We audit similar functions `toPropertyKey(exec)` and `toIdentifier(exec)` necessary exception checks.

/necessary exception checks/for needed but missing exception checks/.

> Source/JavaScriptCore/runtime/JSONObject.cpp:250
> +                    auto propertyName = name.toString(exec)->toIdentifier(exec);

name.toString() can also throw an exception because it can allocate a string from a name that is a number.  So, you'll need another exception check before the toIdentifier() conversion.
Comment 6 Yusuke Suzuki 2019-03-14 22:38:16 PDT 
Comment on attachment 364770 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=364770&action=review

>> Source/JavaScriptCore/ChangeLog:19
>> +        PropertyName can be accidentally destroyed in the middle of putByVal operation. We should retain PrivateName
> 
> /middle of putByVal/middle of the putByVal/

Fixed.

>> Source/JavaScriptCore/ChangeLog:37
>> +        3. We audit similar functions `toPropertyKey(exec)` and `toIdentifier(exec)` necessary exception checks.
> 
> /necessary exception checks/for needed but missing exception checks/.

Fixed.

>> Source/JavaScriptCore/runtime/JSONObject.cpp:250
>> +                    auto propertyName = name.toString(exec)->toIdentifier(exec);
> 
> name.toString() can also throw an exception because it can allocate a string from a name that is a number.  So, you'll need another exception check before the toIdentifier() conversion.

Nice catch. Fixed.
Comment 7 Yusuke Suzuki 2019-03-14 22:56:32 PDT 
Committed r242991: <https://trac.webkit.org/changeset/242991>
Comment 8 Robin Morisset 2019-03-15 08:16:01 PDT 
Comment on attachment 364770 [details]
Patch

LGTM too. Thanks a lot for solving this bug.
Comment 9 Mark Lam 2019-03-15 10:14:56 PDT 
Added a missing exception check in r242999: <http://trac.webkit.org/r242999>.
Comment 10 Yusuke Suzuki 2019-03-19 21:30:42 PDT 
Committed r243191: <https://trac.webkit.org/changeset/243191>