Attachment 348075 Details for Bug 188874 – Patch

[patch] Patch

bug-188874-20180825153241.patch (text/plain), 3.46 KB, created by Yusuke Suzuki on 2018-08-24 23:32:42 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Yusuke Suzuki

Created: 2018-08-24 23:32:42 PDT

Size: 3.46 KB

patch

obsolete

>Subversion Revision: 235338
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 4dcf16a4470fb9a46f998e5a3d8cbceb3dd4171e..d6bf714494f626bd526662b0d734233d69f18b3a 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,16 @@
>+2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
>+
>+        Function object should convert params to string before throw a parsing error
>+        https://bugs.webkit.org/show_bug.cgi?id=188874
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        ToString operation onto the `body` of the Function constructor should be performed
>+        before checking syntax correctness of the parameters.
>+
>+        * runtime/FunctionConstructor.cpp:
>+        (JSC::constructFunctionSkippingEvalEnabledCheck):
>+
> 2018-08-24  Michael Saboff  <msaboff@apple.com>
> 
>         YARR: Update UCS canonicalization tables for Unicode 11
>diff --git a/Source/JavaScriptCore/runtime/FunctionConstructor.cpp b/Source/JavaScriptCore/runtime/FunctionConstructor.cpp
>index 6035dca1a047eb08b37f703bc97ec64fa6ac12b0..fc30fcf310df80901cc06c9ab9324a85a2164d32 100644
>--- a/Source/JavaScriptCore/runtime/FunctionConstructor.cpp
>+++ b/Source/JavaScriptCore/runtime/FunctionConstructor.cpp
>@@ -139,6 +139,8 @@ JSObject* constructFunctionSkippingEvalEnabledCheck(
>             RETURN_IF_EXCEPTION(scope, nullptr);
>             parameterBuilder.append(viewWithString.view);
>         }
>+        auto body = args.at(args.size() - 1).toWTFString(exec);
>+        RETURN_IF_EXCEPTION(scope, nullptr);
> 
>         {
>             // The spec mandates that the parameters parse as a valid parameter list
>@@ -155,8 +157,6 @@ JSObject* constructFunctionSkippingEvalEnabledCheck(
> 
>         builder.append(parameterBuilder);
>         builder.appendLiteral(") {\n");
>-        auto body = args.at(args.size() - 1).toWTFString(exec);
>-        RETURN_IF_EXCEPTION(scope, nullptr);
>         checkBody(body);
>         RETURN_IF_EXCEPTION(scope, nullptr);
>         builder.append(body);
>diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
>index a19ab57c19fee5594555833960f6a260f8a31754..f5723681303348c1146858c901dcc89b6147a7e1 100644
>--- a/JSTests/ChangeLog
>+++ b/JSTests/ChangeLog
>@@ -1,3 +1,13 @@
>+2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
>+
>+        Function object should convert params to string before throw a parsing error
>+        https://bugs.webkit.org/show_bug.cgi?id=188874
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * stress/function-body-to-string-before-parameter-syntax-check.js: Added.
>+        (shouldThrow):
>+
> 2018-08-22  Saam barati  <sbarati@apple.com>
> 
>         Make data-view-access.js run less time to prevent timeouts on 32-bit
>diff --git a/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js b/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js
>new file mode 100644
>index 0000000000000000000000000000000000000000..096c4d4f20e13aae21e83baf8cc9be0807698636
>--- /dev/null
>+++ b/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js
>@@ -0,0 +1,18 @@
>+function shouldThrow(func, errorMessage) {
>+    var errorThrown = false;
>+    var error = null;
>+    try {
>+        func();
>+    } catch (e) {
>+        errorThrown = true;
>+        error = e;
>+    }
>+    if (!errorThrown)
>+        throw new Error('not thrown');
>+    if (String(error) !== errorMessage)
>+        throw new Error(`bad error: ${String(error)}`);
>+}
>+
>+shouldThrow(() => {
>+    Function("@", { toString() { throw 42; } })
>+}, `42`);

Flags:

darin: review+

Actions: View | Formatted Diff | Diff

Attachments on bug 188874: 348075