Bug 176662 - Fix all ExceptionScope verification failures in JavaScriptCore.
Summary: Fix all ExceptionScope verification failures in JavaScriptCore.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
: 165035 (view as bug list)
Depends on:
Blocks: 162351
  Show dependency treegraph
 
Reported: 2017-09-09 16:34 PDT by Mark Lam
Modified: 2018-02-14 18:41 PST (History)
6 users (show)

See Also:


Attachments
proposed patch. (164.18 KB, patch)
2017-09-09 16:58 PDT, Mark Lam
no flags Details | Formatted Diff | Diff
proposed patch. (167.52 KB, patch)
2017-09-09 17:27 PDT, Mark Lam
no flags Details | Formatted Diff | Diff
proposed patch. (167.51 KB, patch)
2017-09-09 17:31 PDT, Mark Lam
fpizlo: review+
Details | Formatted Diff | Diff
patch for landing. (167.91 KB, patch)
2017-09-09 20:48 PDT, Mark Lam
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews117 for mac-elcapitan (2.29 MB, application/zip)
2017-09-09 22:35 PDT, Build Bot
no flags Details
patch for landing (again). (167.91 KB, patch)
2017-09-10 00:08 PDT, Mark Lam
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews117 for mac-elcapitan (2.28 MB, application/zip)
2017-09-10 01:57 PDT, Build Bot
no flags Details
patch for landing (w/ an exception check fix in JSDOMConvertRecord.h's convert(). (168.93 KB, patch)
2017-09-10 18:20 PDT, Mark Lam
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2017-09-09 16:34:46 PDT
This is in preparation to turn on exception scope verification for JSC tests.
Comment 1 Radar WebKit Bug Importer 2017-09-09 16:38:16 PDT
<rdar://problem/34352085>
Comment 2 Mark Lam 2017-09-09 16:58:17 PDT
Created attachment 320365 [details]
proposed patch.
Comment 3 Mark Lam 2017-09-09 17:27:56 PDT
Created attachment 320368 [details]
proposed patch.
Comment 4 Build Bot 2017-09-09 17:30:36 PDT
Attachment 320368 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:91:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 71 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 5 Mark Lam 2017-09-09 17:31:12 PDT
Created attachment 320369 [details]
proposed patch.
Comment 6 Build Bot 2017-09-09 17:33:53 PDT
Attachment 320369 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:91:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 71 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 7 Filip Pizlo 2017-09-09 19:00:29 PDT
Comment on attachment 320369 [details]
proposed patch.

R=me with build fixes.
Comment 8 Mark Lam 2017-09-09 20:48:57 PDT
Created attachment 320376 [details]
patch for landing.

Thanks for the review.  Here's the patch for landing: added a #include in JSDOMMapLike.cpp to fix the build, and a scope.release() in jsc.cpp's functionDollarAgentReceiveBroadcast() to fix an intermittent failure in the stress/lars-sab-workers.js test.
Comment 9 Build Bot 2017-09-09 20:50:38 PDT
Attachment 320376 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:91:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 71 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 10 Mark Lam 2017-09-09 20:51:14 PDT
*** Bug 165035 has been marked as a duplicate of this bug. ***
Comment 11 Build Bot 2017-09-09 22:35:05 PDT
Comment on attachment 320376 [details]
patch for landing.

Attachment 320376 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4501545

New failing tests:
imported/w3c/web-platform-tests/fetch/api/headers/headers-record.html
js/dom/webidl-type-mapping.html
Comment 12 Build Bot 2017-09-09 22:35:06 PDT
Created attachment 320382 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 13 Mark Lam 2017-09-09 22:53:07 PDT
(In reply to Build Bot from comment #11)
> New failing tests:
> imported/w3c/web-platform-tests/fetch/api/headers/headers-record.html
> js/dom/webidl-type-mapping.html

I'm investigating these.
Comment 14 Mark Lam 2017-09-10 00:08:06 PDT
Created attachment 320384 [details]
patch for landing (again).

I applied the same patch on a different workspace (same revision) and cannot reproduce these 2 crashes.  I suspect the issue isn't due to my patch.  Let's try re-uploading it and trying on the EWS again.
Comment 15 Build Bot 2017-09-10 00:10:06 PDT
Attachment 320384 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:91:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 71 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 16 Build Bot 2017-09-10 01:57:50 PDT
Comment on attachment 320384 [details]
patch for landing (again).

Attachment 320384 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4502530

New failing tests:
imported/w3c/web-platform-tests/fetch/api/headers/headers-record.html
js/dom/webidl-type-mapping.html
Comment 17 Build Bot 2017-09-10 01:57:51 PDT
Created attachment 320390 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 18 Mark Lam 2017-09-10 18:20:30 PDT
Created attachment 320411 [details]
patch for landing (w/ an exception check fix in JSDOMConvertRecord.h's convert().

Let's try this on the EWS again.
Comment 19 Build Bot 2017-09-10 18:21:51 PDT
Attachment 320411 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:91:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 72 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 20 Mark Lam 2017-09-10 23:25:08 PDT
The EWS bots and my local testing says that tests are passing now with the latest patch.

Landed in r221849: <http://trac.webkit.org/r221849>.
Comment 21 Saam Barati 2018-02-14 18:41:13 PST
Comment on attachment 320411 [details]
patch for landing (w/ an exception check fix in JSDOMConvertRecord.h's convert().

View in context: https://bugs.webkit.org/attachment.cgi?id=320411&action=review

> Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:788
> +    CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, encodedJSValue());

These look wrong. You're returning JSValue() to a JS caller *without* an exception.

> Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp:86
> +    CLEAR_AND_RETURN_IF_EXCEPTION(scope, encodedJSValue());

ditto

> Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp:187
> +    CLEAR_AND_RETURN_IF_EXCEPTION(scope, encodedJSValue());

ditto

> Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp:194
> +        CLEAR_AND_RETURN_IF_EXCEPTION(scope, encodedJSValue());

ditto