Title: [257314] releases/WebKitGTK/webkit-2.28
- Revision
- 257314
- Author
- carlo...@webkit.org
- Date
- 2020-02-25 08:00:03 -0800 (Tue, 25 Feb 2020)
Log Message
Merge r256198 - Missing exception check in GenericArguments<Type>::deletePropertyByIndex().
https://bugs.webkit.org/show_bug.cgi?id=207483
<rdar://problem/59302616>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/missing-exception-check-in-GenericArguments-deletePropertyByIndex.js: Added.
Source/_javascript_Core:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::deletePropertyByIndex):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog (257313 => 257314)
--- releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog 2020-02-25 15:59:59 UTC (rev 257313)
+++ releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog 2020-02-25 16:00:03 UTC (rev 257314)
@@ -1,3 +1,13 @@
+2020-02-10 Mark Lam <mark....@apple.com>
+
+ Missing exception check in GenericArguments<Type>::deletePropertyByIndex().
+ https://bugs.webkit.org/show_bug.cgi?id=207483
+ <rdar://problem/59302616>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/missing-exception-check-in-GenericArguments-deletePropertyByIndex.js: Added.
+
2020-02-06 Sukolsak Sakshuwong <sukol...@gmail.com> and Alexey Shvayka <shvaikal...@gmail.com>
_javascript_ string corruption using RegExp with unicode character
Added: releases/WebKitGTK/webkit-2.28/JSTests/stress/missing-exception-check-in-GenericArguments-deletePropertyByIndex.js (0 => 257314)
--- releases/WebKitGTK/webkit-2.28/JSTests/stress/missing-exception-check-in-GenericArguments-deletePropertyByIndex.js (rev 0)
+++ releases/WebKitGTK/webkit-2.28/JSTests/stress/missing-exception-check-in-GenericArguments-deletePropertyByIndex.js 2020-02-25 16:00:03 UTC (rev 257314)
@@ -0,0 +1,4 @@
+function foo() {
+ delete arguments[2**32-1];
+}
+foo();
Modified: releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/ChangeLog (257313 => 257314)
--- releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/ChangeLog 2020-02-25 15:59:59 UTC (rev 257313)
+++ releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/ChangeLog 2020-02-25 16:00:03 UTC (rev 257314)
@@ -1,3 +1,14 @@
+2020-02-10 Mark Lam <mark....@apple.com>
+
+ Missing exception check in GenericArguments<Type>::deletePropertyByIndex().
+ https://bugs.webkit.org/show_bug.cgi?id=207483
+ <rdar://problem/59302616>
+
+ Reviewed by Yusuke Suzuki.
+
+ * runtime/GenericArgumentsInlines.h:
+ (JSC::GenericArguments<Type>::deletePropertyByIndex):
+
2020-02-07 Robin Morisset <rmoris...@apple.com>
Throw OutOfMemory exception instead of crashing if DirectArguments/ScopedArguments can't be created
Modified: releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/runtime/GenericArgumentsInlines.h (257313 => 257314)
--- releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/runtime/GenericArgumentsInlines.h 2020-02-25 15:59:59 UTC (rev 257313)
+++ releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/runtime/GenericArgumentsInlines.h 2020-02-25 16:00:03 UTC (rev 257314)
@@ -188,8 +188,10 @@
bool propertyMightBeInJSObjectStorage = thisObject->isModifiedArgumentDescriptor(index) || !thisObject->isMappedArgument(index);
bool deletedProperty = true;
- if (propertyMightBeInJSObjectStorage)
+ if (propertyMightBeInJSObjectStorage) {
deletedProperty = Base::deletePropertyByIndex(cell, globalObject, index);
+ RETURN_IF_EXCEPTION(scope, true);
+ }
if (deletedProperty) {
// Deleting an indexed property unconditionally unmaps it.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
