Google Git
Sign in
webkit / WebKit / af107121180e7ae7606d9b7b1021b27102f6b698^! / .
commitaf107121180e7ae7606d9b7b1021b27102f6b698[log] [tgz]
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Dec 05 03:20:16 2019 +0000
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Dec 05 03:20:16 2019 +0000
treea2a1bc707a8ee05db570af920cc9d1196330e585
parentec2fcee913234641ac2d8270fcdaef0f6d8a3da5 [diff]
Fix missing exception check in ArrayPrototype's fastJoin().
https://bugs.webkit.org/show_bug.cgi?id=204868
<rdar://problem/57516684>

Reviewed by Saam Barati.

JSTests:

* stress/missing-exception-check-in-array-prototype-fastJoin.js: Added.

Source/JavaScriptCore:

* runtime/ArrayPrototype.cpp:
(JSC::fastJoin):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253137 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index d577f76..7d9c572 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog

@@ -1,3 +1,13 @@
+2019-12-04  Mark Lam  <mark.lam@apple.com>
+
+        Fix missing exception check in ArrayPrototype's fastJoin().
+        https://bugs.webkit.org/show_bug.cgi?id=204868
+        <rdar://problem/57516684>
+
+        Reviewed by Saam Barati.
+
+        * stress/missing-exception-check-in-array-prototype-fastJoin.js: Added.
+
 2019-12-04  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Unreviewed, rolling out r252416, vimeo does not work

diff --git a/JSTests/stress/missing-exception-check-in-array-prototype-fastJoin.js b/JSTests/stress/missing-exception-check-in-array-prototype-fastJoin.js
new file mode 100644
index 0000000..aa35820
--- /dev/null
+++ b/JSTests/stress/missing-exception-check-in-array-prototype-fastJoin.js

@@ -0,0 +1,11 @@
+//@ runDefault
+
+try {
+    const s = (10).toLocaleString().padEnd(2**31-1, 'aa');
+    RegExp([s]);
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "Error: Out of memory")
+    throw "FAILED";

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 50a3e97..2aa9f5a 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,5 +1,16 @@
 2019-12-04  Mark Lam  <mark.lam@apple.com>
 
+        Fix missing exception check in ArrayPrototype's fastJoin().
+        https://bugs.webkit.org/show_bug.cgi?id=204868
+        <rdar://problem/57516684>
+
+        Reviewed by Saam Barati.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::fastJoin):
+
+2019-12-04  Mark Lam  <mark.lam@apple.com>
+
         Fix a broken assertion in GetByStatus::computeForStubInfoWithoutExitSiteFeedback().
         https://bugs.webkit.org/show_bug.cgi?id=204866
 

diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
index cb773d4..0a7ae4e 100644
--- a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -490,6 +490,7 @@
             if (JSValue value = data[i].get()) {
                 if (!joiner.appendWithoutSideEffects(globalObject, value))
                     goto generalCase;
+                RETURN_IF_EXCEPTION(scope, { });
             } else {
                 if (sawHoles)
                     *sawHoles = true;