[webkit-reviews] review granted: [Bug 214680] Add exception check for WebCore createRejectedPromiseWithTypeError : [Attachment 405030] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 23 10:58:11 PDT 2020
Mark Lam <mark.lam at apple.com> has granted Yusuke Suzuki <ysuzuki at apple.com>'s
request for review:
Bug 214680: Add exception check for WebCore createRejectedPromiseWithTypeError
https://bugs.webkit.org/show_bug.cgi?id=214680
Attachment 405030: Patch
https://bugs.webkit.org/attachment.cgi?id=405030&action=review
--- Comment #3 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 405030
--> https://bugs.webkit.org/attachment.cgi?id=405030
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=405030&action=review
r=me with fix.
> Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp:228
> + auto rejectFunction = promiseConstructor->get(&lexicalGlobalObject,
vm.propertyNames->builtinNames().rejectPrivateName());
> + EXCEPTION_ASSERT(!scope.exception() ||
isTerminatedExecutionException(vm, scope.exception()));
Are you sure that getting the property with rejectPrivateName() will never
throw? I see that it can be lazily generated using
promiseConstructorRejectCodeGenerator(). Can this trigger an OOME /
StackOverflow? Regardless, I think you need a RETURN_IF_EXCEPTION() after
this. Even if we're seeing a termination exception, we still need to bail.
More information about the webkit-reviews
mailing list