Bug 215357

Summary: ScriptExecutable::newCodeBlockFor() neglected to set the exception pointer result in one case.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=215358
Attachments:
Description Flags
proposed patch. none

Mark Lam
Reported 2020-08-10 22:36:17 PDT
At the bottom of ScriptExecutable::newCodeBlockFor(), it calls: RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope)); However, ScriptExecutable::newCodeBlockFor() has 2 return values: a CodeBlock*, and a passed in Exception*& that needs to be set if there's an exception. FunctionCodeBlock::create() is capable of returning a null CodeBlock* because CodeBlock::finishCreation() can throw exceptions. As a result, we have a scenario here where ScriptExecutable::newCodeBlockFor() can return a null CodeBlock* without setting the Exception*& result. Consequently, Interpreter::executeCall() is relying on this and can end up crashing while dereferencing a null CodeBlock* because the exception result was not set. We can fix this in 1 of 2 ways: 1. Fix ScriptExecutable::newCodeBlockFor() to set the exception result. 2. Get rid of having to set the exception result, and use throwScope.exception() as the canonical method of checking for exceptions. I'm going to try to apply solution 2 if it doesn't introduce an unreasonable amount of code change.
Attachments
proposed patch. (3.76 KB, patch)
2020-08-10 23:00 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2020-08-10 22:36:38 PDT
<rdar://problem/57675112>
Mark Lam
Comment 2 2020-08-10 22:46:21 PDT
On 2nd thought, I'll just apply solution 1 which is a small and simple patch. I'll investigate applying solution 2 later with a refactoring in https://bugs.webkit.org/show_bug.cgi?id=215358.
Mark Lam
Comment 3 2020-08-10 23:00:44 PDT
Created attachment 406365 [details] proposed patch.
Yusuke Suzuki
Comment 4 2020-08-10 23:04:16 PDT
Comment on attachment 406365 [details] proposed patch. r=me
EWS
Comment 5 2020-08-11 01:23:21 PDT
Committed r265493: <https://trac.webkit.org/changeset/265493> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406365 [details].
Note You need to log in before you can comment on or make changes to this bug.