REGRESSION(273782@main): Missing exception check in commonCallDirectE…

…val() https://bugs.webkit.org/show_bug.cgi?id=268942 <rdar://problem/122493988> Reviewed by Yusuke Suzuki. Since eval() may throw an exception, 273782@main moving throwScope.release() to come after it broke exception scope validation. Also, we would like to avoid calling setUpCall() in case of exception, reserving it only for indirect eval(). This change adds LLINT_CALL_CHECK_EXCEPTION() to fix both issues, and also makes eval() consistently return empty JSValue() in case of exception, which is non-observable code tweak. * Source/JavaScriptCore/interpreter/Interpreter.cpp: (JSC::eval): * Source/JavaScriptCore/llint/LLIntSlowPaths.cpp: (JSC::LLInt::commonCallDirectEval): Canonical link: https://commits.webkit.org/274264@main
WebKit · Feb 8, 2024 · 0bf3769 · 0bf3769
1 parent 142d2a8
commit 0bf3769
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
@@ -130,7 +130,7 @@ JSValue eval(CallFrame* callFrame, JSValue thisValue, JSScope* callerScopeChain,
     if (!globalObject->evalEnabled()) {
         globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject, programString);
         throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
-        return jsUndefined();
+        return { };
     }
     String programSource = programString->value(globalObject);
     RETURN_IF_EXCEPTION(scope, JSValue());
@@ -179,7 +179,7 @@ JSValue eval(CallFrame* callFrame, JSValue thisValue, JSScope* callerScopeChain,
         eval = DirectEvalExecutable::create(globalObject, makeSource(programSource, callerBaselineCodeBlock->source().provider()->sourceOrigin(), sourceTaintedOrigin), derivedContextType, callerUnlinkedCodeBlock->needsClassFieldInitializer(), callerUnlinkedCodeBlock->privateBrandRequirement(), isArrowFunctionContext, callerBaselineCodeBlock->ownerExecutable()->isInsideOrdinaryFunction(), evalContextType, &variablesUnderTDZ, &privateNameEnvironment, ecmaMode);
         EXCEPTION_ASSERT(!!scope.exception() == !eval);
         if (!eval)
-            return jsUndefined();
+            return { };
 
         // Skip the eval cache if tainted since another eval call could have a different taintedness.
         if (sourceTaintedOrigin == SourceTaintedOrigin::Untainted)

diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -2144,6 +2144,7 @@ static inline UGPRPair commonCallDirectEval(CallFrame* callFrame, const JSInstru
     JSScope* callerScopeChain = jsCast<JSScope*>(getOperand(callFrame, bytecode.m_scope));
     JSValue thisValue = getOperand(callFrame, bytecode.m_thisValue);
     JSValue result = eval(calleeFrame, thisValue, callerScopeChain, bytecode.m_ecmaMode);
+    LLINT_CALL_CHECK_EXCEPTION(globalObject);
     if (!result)
         RELEASE_AND_RETURN(throwScope, setUpCall(calleeFrame, CodeForCall, calleeAsValue));