RESOLVED FIXED 195791
[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
https://bugs.webkit.org/show_bug.cgi?id=195791
Summary [JSC] Retain PrivateName of Symbol before passing it to operations potentiall...
Yusuke Suzuki
Reported 2019-03-14 20:36:28 PDT
[JSC] Do not pass Symbol::privateName() directly to PropertyName without ref-ing it
Attachments
Patch (23.36 KB, patch)
2019-03-14 21:08 PDT, Yusuke Suzuki
no flags
Patch (23.55 KB, patch)
2019-03-14 22:06 PDT, Yusuke Suzuki
mark.lam: review+
Yusuke Suzuki
Comment 1 2019-03-14 20:38:15 PDT
Yusuke Suzuki
Comment 2 2019-03-14 21:08:01 PDT
Yusuke Suzuki
Comment 3 2019-03-14 21:08:03 PDT
Yusuke Suzuki
Comment 4 2019-03-14 22:06:43 PDT
Mark Lam
Comment 5 2019-03-14 22:36:12 PDT
Comment on attachment 364770 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364770&action=review r=me with fixes. > Source/JavaScriptCore/ChangeLog:19 > + PropertyName can be accidentally destroyed in the middle of putByVal operation. We should retain PrivateName /middle of putByVal/middle of the putByVal/ > Source/JavaScriptCore/ChangeLog:37 > + 3. We audit similar functions `toPropertyKey(exec)` and `toIdentifier(exec)` necessary exception checks. /necessary exception checks/for needed but missing exception checks/. > Source/JavaScriptCore/runtime/JSONObject.cpp:250 > + auto propertyName = name.toString(exec)->toIdentifier(exec); name.toString() can also throw an exception because it can allocate a string from a name that is a number. So, you'll need another exception check before the toIdentifier() conversion.
Yusuke Suzuki
Comment 6 2019-03-14 22:38:16 PDT
Comment on attachment 364770 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364770&action=review >> Source/JavaScriptCore/ChangeLog:19 >> + PropertyName can be accidentally destroyed in the middle of putByVal operation. We should retain PrivateName > > /middle of putByVal/middle of the putByVal/ Fixed. >> Source/JavaScriptCore/ChangeLog:37 >> + 3. We audit similar functions `toPropertyKey(exec)` and `toIdentifier(exec)` necessary exception checks. > > /necessary exception checks/for needed but missing exception checks/. Fixed. >> Source/JavaScriptCore/runtime/JSONObject.cpp:250 >> + auto propertyName = name.toString(exec)->toIdentifier(exec); > > name.toString() can also throw an exception because it can allocate a string from a name that is a number. So, you'll need another exception check before the toIdentifier() conversion. Nice catch. Fixed.
Yusuke Suzuki
Comment 7 2019-03-14 22:56:32 PDT
Robin Morisset
Comment 8 2019-03-15 08:16:01 PDT
Comment on attachment 364770 [details] Patch LGTM too. Thanks a lot for solving this bug.
Mark Lam
Comment 9 2019-03-15 10:14:56 PDT
Added a missing exception check in r242999: <http://trac.webkit.org/r242999>.
Yusuke Suzuki
Comment 10 2019-03-19 21:30:42 PDT
Note You need to log in before you can comment on or make changes to this bug.