[webkit-reviews] review granted: [Bug 195791] [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC : [Attachment 364770] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 14 22:36:12 PDT 2019
Mark Lam <mark.lam at apple.com> has granted Yusuke Suzuki <ysuzuki at apple.com>'s
request for review:
Bug 195791: [JSC] Retain PrivateName of Symbol before passing it to operations
potentially incurring GC
https://bugs.webkit.org/show_bug.cgi?id=195791
Attachment 364770: Patch
https://bugs.webkit.org/attachment.cgi?id=364770&action=review
--- Comment #5 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 364770
--> https://bugs.webkit.org/attachment.cgi?id=364770
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=364770&action=review
r=me with fixes.
> Source/JavaScriptCore/ChangeLog:19
> + PropertyName can be accidentally destroyed in the middle of putByVal
operation. We should retain PrivateName
/middle of putByVal/middle of the putByVal/
> Source/JavaScriptCore/ChangeLog:37
> + 3. We audit similar functions `toPropertyKey(exec)` and
`toIdentifier(exec)` necessary exception checks.
/necessary exception checks/for needed but missing exception checks/.
> Source/JavaScriptCore/runtime/JSONObject.cpp:250
> + auto propertyName =
name.toString(exec)->toIdentifier(exec);
name.toString() can also throw an exception because it can allocate a string
from a name that is a number. So, you'll need another exception check before
the toIdentifier() conversion.
More information about the webkit-reviews
mailing list