<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[208699] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/208699">208699</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2016-11-14 11:42:41 -0800 (Mon, 14 Nov 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
https://bugs.webkit.org/show_bug.cgi?id=164701
<rdar://problem/27462104>
Reviewed by Darin Adler.
JSTests:
* stress/string-prototype-charCodeAt-on-too-long-rope.js: Added.
Source/JavaScriptCore:
The characters8(), characters16(), and operator[] in JSString::SafeView converts
the underlying JSString to a StringView via get(), and then uses the StringView
without first checking if an exception was thrown during the conversion. This is
unsafe because the conversion may have failed.
Instead, we should remove these 3 convenience methods, and make the caller
explicitly call get() and do the appropriate exception checks before using the
StringView.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::toStringView):
(JSC::encode):
(JSC::decode):
(JSC::globalFuncParseInt):
(JSC::globalFuncEscape):
(JSC::globalFuncUnescape):
(JSC::toSafeView): Deleted.
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncParse):
* runtime/JSString.h:
(JSC::JSString::SafeView::length):
(JSC::JSString::SafeView::characters8): Deleted.
(JSC::JSString::SafeView::characters16): Deleted.
(JSC::JSString::SafeView::operator[]): Deleted.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncRepeatCharacter):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncNormalize):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSONObjectcpp">trunk/Source/JavaScriptCore/runtime/JSONObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringh">trunk/Source/JavaScriptCore/runtime/JSString.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStringPrototypecpp">trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsstressstringprototypecharCodeAtontoolongropejs">trunk/JSTests/stress/string-prototype-charCodeAt-on-too-long-rope.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (208698 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog 2016-11-14 19:26:20 UTC (rev 208698)
+++ trunk/JSTests/ChangeLog 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -1,5 +1,15 @@
</span><span class="cx"> 2016-11-14 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><ins>+ Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
+ https://bugs.webkit.org/show_bug.cgi?id=164701
+ <rdar://problem/27462104>
+
+ Reviewed by Darin Adler.
+
+ * stress/string-prototype-charCodeAt-on-too-long-rope.js: Added.
+
+2016-11-14 Mark Lam <mark.lam@apple.com>
+
</ins><span class="cx"> RegExpObject::exec/match should handle errors gracefully.
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=155145
</span><span class="cx"> <rdar://problem/27435934>
</span></span></pre></div>
<a id="trunkJSTestsstressstringprototypecharCodeAtontoolongropejs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/string-prototype-charCodeAt-on-too-long-rope.js (0 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/string-prototype-charCodeAt-on-too-long-rope.js (rev 0)
+++ trunk/JSTests/stress/string-prototype-charCodeAt-on-too-long-rope.js 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+//@ if $buildType == "debug" then runFTLNoCJIT("--maxSingleAllocationSize=20000000") else skip end
+
+function shouldEqual(actual, expected) {
+ if (actual != expected) {
+ throw "ERROR: expect " + expected + ", actual " + actual;
+ }
+}
+
+s0 = "";
+s1 = "NaNxxxxx";
+
+try {
+ for (var count = 0; count < 27; count++) {
+ var oldS1 = s1;
+ s1 += s1;
+ s0 = oldS1;
+ }
+} catch (e) { }
+
+try {
+ s1 += s0;
+} catch (e) { }
+
+var exception;
+try {
+ for (var v of s1) { }
+} catch (e) {
+ exception = e;
+}
+
+shouldEqual(exception, "Error: Out of memory");
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (208698 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-11-14 19:26:20 UTC (rev 208698)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -1,5 +1,43 @@
</span><span class="cx"> 2016-11-14 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><ins>+ Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions.
+ https://bugs.webkit.org/show_bug.cgi?id=164701
+ <rdar://problem/27462104>
+
+ Reviewed by Darin Adler.
+
+ The characters8(), characters16(), and operator[] in JSString::SafeView converts
+ the underlying JSString to a StringView via get(), and then uses the StringView
+ without first checking if an exception was thrown during the conversion. This is
+ unsafe because the conversion may have failed.
+
+ Instead, we should remove these 3 convenience methods, and make the caller
+ explicitly call get() and do the appropriate exception checks before using the
+ StringView.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::toStringView):
+ (JSC::encode):
+ (JSC::decode):
+ (JSC::globalFuncParseInt):
+ (JSC::globalFuncEscape):
+ (JSC::globalFuncUnescape):
+ (JSC::toSafeView): Deleted.
+ * runtime/JSONObject.cpp:
+ (JSC::JSONProtoFuncParse):
+ * runtime/JSString.h:
+ (JSC::JSString::SafeView::length):
+ (JSC::JSString::SafeView::characters8): Deleted.
+ (JSC::JSString::SafeView::characters16): Deleted.
+ (JSC::JSString::SafeView::operator[]): Deleted.
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncRepeatCharacter):
+ (JSC::stringProtoFuncCharAt):
+ (JSC::stringProtoFuncCharCodeAt):
+ (JSC::stringProtoFuncNormalize):
+
+2016-11-14 Mark Lam <mark.lam@apple.com>
+
</ins><span class="cx"> RegExpObject::exec/match should handle errors gracefully.
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=155145
</span><span class="cx"> <rdar://problem/27435934>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (208698 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2016-11-14 19:26:20 UTC (rev 208698)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -57,13 +57,17 @@
</span><span class="cx"> static const char* const ObjectProtoCalledOnNullOrUndefinedError = "Object.prototype.__proto__ called on null or undefined";
</span><span class="cx">
</span><span class="cx"> template<typename CallbackWhenNoException>
</span><del>-static ALWAYS_INLINE typename std::result_of<CallbackWhenNoException(JSString::SafeView&)>::type toSafeView(ExecState* exec, JSValue value, CallbackWhenNoException callback)
</del><ins>+static ALWAYS_INLINE typename std::result_of<CallbackWhenNoException(StringView)>::type toStringView(ExecState* exec, JSValue value, CallbackWhenNoException callback)
</ins><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
</ins><span class="cx"> JSString* string = value.toStringOrNull(exec);
</span><span class="cx"> if (UNLIKELY(!string))
</span><span class="cx"> return { };
</span><span class="cx"> JSString::SafeView view = string->view(exec);
</span><del>- return callback(view);
</del><ins>+ StringView stringView = view.get();
+ RETURN_IF_EXCEPTION(scope, { });
+ return callback(stringView);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<unsigned charactersCount>
</span><span class="lines">@@ -158,7 +162,7 @@
</span><span class="cx">
</span><span class="cx"> static JSValue encode(ExecState* exec, const Bitmap<256>& doNotEscape)
</span><span class="cx"> {
</span><del>- return toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
</del><ins>+ return toStringView(exec, exec->argument(0), [&] (StringView view) {
</ins><span class="cx"> if (view.is8Bit())
</span><span class="cx"> return encode(exec, doNotEscape, view.characters8(), view.length());
</span><span class="cx"> return encode(exec, doNotEscape, view.characters16(), view.length());
</span><span class="lines">@@ -236,7 +240,7 @@
</span><span class="cx">
</span><span class="cx"> static JSValue decode(ExecState* exec, const Bitmap<256>& doNotUnescape, bool strict)
</span><span class="cx"> {
</span><del>- return toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
</del><ins>+ return toStringView(exec, exec->argument(0), [&] (StringView view) {
</ins><span class="cx"> if (view.is8Bit())
</span><span class="cx"> return decode(exec, view.characters8(), view.length(), doNotUnescape, strict);
</span><span class="cx"> return decode(exec, view.characters16(), view.length(), doNotUnescape, strict);
</span><span class="lines">@@ -707,8 +711,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // If ToString throws, we shouldn't call ToInt32.
</span><del>- return toSafeView(exec, value, [&] (JSString::SafeView& view) {
- return JSValue::encode(jsNumber(parseInt(view.get(), radixValue.toInt32(exec))));
</del><ins>+ return toStringView(exec, value, [&] (StringView view) {
+ return JSValue::encode(jsNumber(parseInt(view, radixValue.toInt32(exec))));
</ins><span class="cx"> });
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -765,7 +769,7 @@
</span><span class="cx"> "*+-./@_"
</span><span class="cx"> );
</span><span class="cx">
</span><del>- return JSValue::encode(toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
</del><ins>+ return JSValue::encode(toStringView(exec, exec->argument(0), [&] (StringView view) {
</ins><span class="cx"> JSStringBuilder builder;
</span><span class="cx"> if (view.is8Bit()) {
</span><span class="cx"> const LChar* c = view.characters8();
</span><span class="lines">@@ -804,7 +808,7 @@
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL globalFuncUnescape(ExecState* exec)
</span><span class="cx"> {
</span><del>- return JSValue::encode(toSafeView(exec, exec->argument(0), [&] (JSString::SafeView& view) {
</del><ins>+ return JSValue::encode(toStringView(exec, exec->argument(0), [&] (StringView view) {
</ins><span class="cx"> StringBuilder builder;
</span><span class="cx"> int k = 0;
</span><span class="cx"> int len = view.length();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSONObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSONObject.cpp (208698 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSONObject.cpp 2016-11-14 19:26:20 UTC (rev 208698)
+++ trunk/Source/JavaScriptCore/runtime/JSONObject.cpp 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -763,16 +763,18 @@
</span><span class="cx"> return throwVMError(exec, scope, createError(exec, ASCIILiteral("JSON.parse requires at least one parameter")));
</span><span class="cx"> JSString::SafeView source = exec->uncheckedArgument(0).toString(exec)->view(exec);
</span><span class="cx"> RETURN_IF_EXCEPTION(scope, encodedJSValue());
</span><ins>+ StringView view = source.get();
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
</ins><span class="cx">
</span><span class="cx"> JSValue unfiltered;
</span><span class="cx"> LocalScope localScope(vm);
</span><del>- if (source.is8Bit()) {
- LiteralParser<LChar> jsonParser(exec, source.characters8(), source.length(), StrictJSON);
</del><ins>+ if (view.is8Bit()) {
+ LiteralParser<LChar> jsonParser(exec, view.characters8(), view.length(), StrictJSON);
</ins><span class="cx"> unfiltered = jsonParser.tryLiteralParse();
</span><span class="cx"> if (!unfiltered)
</span><span class="cx"> return throwVMError(exec, scope, createSyntaxError(exec, jsonParser.getErrorMessage()));
</span><span class="cx"> } else {
</span><del>- LiteralParser<UChar> jsonParser(exec, source.characters16(), source.length(), StrictJSON);
</del><ins>+ LiteralParser<UChar> jsonParser(exec, view.characters16(), view.length(), StrictJSON);
</ins><span class="cx"> unfiltered = jsonParser.tryLiteralParse();
</span><span class="cx"> if (!unfiltered)
</span><span class="cx"> return throwVMError(exec, scope, createSyntaxError(exec, jsonParser.getErrorMessage()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSString.h (208698 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSString.h 2016-11-14 19:26:20 UTC (rev 208698)
+++ trunk/Source/JavaScriptCore/runtime/JSString.h 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -482,9 +482,6 @@
</span><span class="cx">
</span><span class="cx"> bool is8Bit() const { return m_string->is8Bit(); }
</span><span class="cx"> unsigned length() const { return m_string->length(); }
</span><del>- const LChar* characters8() const { return get().characters8(); }
- const UChar* characters16() const { return get().characters16(); }
- UChar operator[](unsigned index) const { return get()[index]; }
</del><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> ExecState& m_state;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStringPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp (208698 => 208699)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-11-14 19:26:20 UTC (rev 208698)
+++ trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-11-14 19:42:41 UTC (rev 208699)
</span><span class="lines">@@ -791,6 +791,9 @@
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL stringProtoFuncRepeatCharacter(ExecState* exec)
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
</ins><span class="cx"> // For a string which length is single, instead of creating ropes,
</span><span class="cx"> // allocating a sequential buffer and fill with the repeated string for efficiency.
</span><span class="cx"> ASSERT(exec->argumentCount() == 2);
</span><span class="lines">@@ -802,18 +805,18 @@
</span><span class="cx"> JSValue repeatCountValue = exec->uncheckedArgument(1);
</span><span class="cx"> RELEASE_ASSERT(repeatCountValue.isNumber());
</span><span class="cx"> int32_t repeatCount;
</span><del>- {
- VM& vm = exec->vm();
- auto scope = DECLARE_THROW_SCOPE(vm);
- double value = repeatCountValue.asNumber();
- if (value > JSString::MaxLength)
- return JSValue::encode(throwOutOfMemoryError(exec, scope));
- repeatCount = static_cast<int32_t>(value);
- }
</del><ins>+ double value = repeatCountValue.asNumber();
+ if (value > JSString::MaxLength)
+ return JSValue::encode(throwOutOfMemoryError(exec, scope));
+ repeatCount = static_cast<int32_t>(value);
</ins><span class="cx"> ASSERT(repeatCount >= 0);
</span><span class="cx"> ASSERT(!repeatCountValue.isDouble() || repeatCountValue.asDouble() == repeatCount);
</span><span class="cx">
</span><del>- UChar character = string->view(exec)[0];
</del><ins>+ JSString::SafeView safeView = string->view(exec);
+ StringView view = safeView.get();
+ ASSERT(view.length() == 1 && !scope.exception());
+ UChar character = view[0];
+ scope.release();
</ins><span class="cx"> if (!(character & ~0xff))
</span><span class="cx"> return JSValue::encode(repeatCharacter(*exec, static_cast<LChar>(character), repeatCount));
</span><span class="cx"> return JSValue::encode(repeatCharacter(*exec, character, repeatCount));
</span><span class="lines">@@ -904,16 +907,19 @@
</span><span class="cx"> if (!checkObjectCoercible(thisValue))
</span><span class="cx"> return throwVMTypeError(exec, scope);
</span><span class="cx"> JSString::SafeView string = thisValue.toString(exec)->view(exec);
</span><ins>+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ StringView view = string.get();
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
</ins><span class="cx"> JSValue a0 = exec->argument(0);
</span><span class="cx"> if (a0.isUInt32()) {
</span><span class="cx"> uint32_t i = a0.asUInt32();
</span><del>- if (i < string.length())
- return JSValue::encode(jsSingleCharacterString(exec, string[i]));
</del><ins>+ if (i < view.length())
+ return JSValue::encode(jsSingleCharacterString(exec, view[i]));
</ins><span class="cx"> return JSValue::encode(jsEmptyString(exec));
</span><span class="cx"> }
</span><span class="cx"> double dpos = a0.toInteger(exec);
</span><del>- if (dpos >= 0 && dpos < string.length())
- return JSValue::encode(jsSingleCharacterString(exec, string[static_cast<unsigned>(dpos)]));
</del><ins>+ if (dpos >= 0 && dpos < view.length())
+ return JSValue::encode(jsSingleCharacterString(exec, view[static_cast<unsigned>(dpos)]));
</ins><span class="cx"> return JSValue::encode(jsEmptyString(exec));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -925,17 +931,21 @@
</span><span class="cx"> JSValue thisValue = exec->thisValue();
</span><span class="cx"> if (!checkObjectCoercible(thisValue))
</span><span class="cx"> return throwVMTypeError(exec, scope);
</span><del>- JSString::SafeView string = thisValue.toString(exec)->view(exec);
</del><ins>+ JSString* jsString = thisValue.toString(exec);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ JSString::SafeView string = jsString->view(exec);
+ StringView view = string.get();
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
</ins><span class="cx"> JSValue a0 = exec->argument(0);
</span><span class="cx"> if (a0.isUInt32()) {
</span><span class="cx"> uint32_t i = a0.asUInt32();
</span><del>- if (i < string.length())
- return JSValue::encode(jsNumber(string[i]));
</del><ins>+ if (i < view.length())
+ return JSValue::encode(jsNumber(view[i]));
</ins><span class="cx"> return JSValue::encode(jsNaN());
</span><span class="cx"> }
</span><span class="cx"> double dpos = a0.toInteger(exec);
</span><del>- if (dpos >= 0 && dpos < string.length())
- return JSValue::encode(jsNumber(string[static_cast<int>(dpos)]));
</del><ins>+ if (dpos >= 0 && dpos < view.length())
+ return JSValue::encode(jsNumber(view[static_cast<int>(dpos)]));
</ins><span class="cx"> return JSValue::encode(jsNaN());
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2008,6 +2018,8 @@
</span><span class="cx"> return throwVMTypeError(exec, scope);
</span><span class="cx"> JSString::SafeView source = thisValue.toString(exec)->view(exec);
</span><span class="cx"> RETURN_IF_EXCEPTION(scope, encodedJSValue());
</span><ins>+ StringView view = source.get();
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
</ins><span class="cx">
</span><span class="cx"> UNormalizationMode form = UNORM_NFC;
</span><span class="cx"> // Verify that the argument is provided and is not undefined.
</span><span class="lines">@@ -2027,7 +2039,7 @@
</span><span class="cx"> return throwVMError(exec, scope, createRangeError(exec, ASCIILiteral("argument does not match any normalization form")));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- return JSValue::encode(normalize(exec, source.get().upconvertedCharacters(), source.length(), form));
</del><ins>+ return JSValue::encode(normalize(exec, view.upconvertedCharacters(), view.length(), form));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre>
</div>
</div>
</body>
</html>