WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
195791
[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
https://bugs.webkit.org/show_bug.cgi?id=195791
Summary
[JSC] Retain PrivateName of Symbol before passing it to operations potentiall...
Yusuke Suzuki
Reported
2019-03-14 20:36:28 PDT
[JSC] Do not pass Symbol::privateName() directly to PropertyName without ref-ing it
Attachments
Patch
(23.36 KB, patch)
2019-03-14 21:08 PDT
,
Yusuke Suzuki
no flags
Details
Formatted Diff
Diff
Patch
(23.55 KB, patch)
2019-03-14 22:06 PDT
,
Yusuke Suzuki
mark.lam
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1
2019-03-14 20:38:15 PDT
<
rdar://problem/48806130
>
Yusuke Suzuki
Comment 2
2019-03-14 21:08:01 PDT
Created
attachment 364768
[details]
Patch
Yusuke Suzuki
Comment 3
2019-03-14 21:08:03 PDT
<
rdar://problem/48806130
>
Yusuke Suzuki
Comment 4
2019-03-14 22:06:43 PDT
Created
attachment 364770
[details]
Patch
Mark Lam
Comment 5
2019-03-14 22:36:12 PDT
Comment on
attachment 364770
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=364770&action=review
r=me with fixes.
> Source/JavaScriptCore/ChangeLog:19 > + PropertyName can be accidentally destroyed in the middle of putByVal operation. We should retain PrivateName
/middle of putByVal/middle of the putByVal/
> Source/JavaScriptCore/ChangeLog:37 > + 3. We audit similar functions `toPropertyKey(exec)` and `toIdentifier(exec)` necessary exception checks.
/necessary exception checks/for needed but missing exception checks/.
> Source/JavaScriptCore/runtime/JSONObject.cpp:250 > + auto propertyName = name.toString(exec)->toIdentifier(exec);
name.toString() can also throw an exception because it can allocate a string from a name that is a number. So, you'll need another exception check before the toIdentifier() conversion.
Yusuke Suzuki
Comment 6
2019-03-14 22:38:16 PDT
Comment on
attachment 364770
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=364770&action=review
>> Source/JavaScriptCore/ChangeLog:19 >> + PropertyName can be accidentally destroyed in the middle of putByVal operation. We should retain PrivateName > > /middle of putByVal/middle of the putByVal/
Fixed.
>> Source/JavaScriptCore/ChangeLog:37 >> + 3. We audit similar functions `toPropertyKey(exec)` and `toIdentifier(exec)` necessary exception checks. > > /necessary exception checks/for needed but missing exception checks/.
Fixed.
>> Source/JavaScriptCore/runtime/JSONObject.cpp:250 >> + auto propertyName = name.toString(exec)->toIdentifier(exec); > > name.toString() can also throw an exception because it can allocate a string from a name that is a number. So, you'll need another exception check before the toIdentifier() conversion.
Nice catch. Fixed.
Yusuke Suzuki
Comment 7
2019-03-14 22:56:32 PDT
Committed
r242991
: <
https://trac.webkit.org/changeset/242991
>
Robin Morisset
Comment 8
2019-03-15 08:16:01 PDT
Comment on
attachment 364770
[details]
Patch LGTM too. Thanks a lot for solving this bug.
Mark Lam
Comment 9
2019-03-15 10:14:56 PDT
Added a missing exception check in
r242999
: <
http://trac.webkit.org/r242999
>.
Yusuke Suzuki
Comment 10
2019-03-19 21:30:42 PDT
Committed
r243191
: <
https://trac.webkit.org/changeset/243191
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug