[webkit-changes] [202714] trunk/Source/JavaScriptCore

[sbarati]

Title: [202714] trunk/Source/_javascript_Core

Revision

202714

Author

sbar...@apple.com

Date

2016-06-30 15:35:30 -0700 (Thu, 30 Jun 2016)

Log Message

missing exception checks in arrayProtoFuncReverse
https://bugs.webkit.org/show_bug.cgi?id=159319
<rdar://problem/27083696>

Reviewed by Filip Pizlo.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncReverse):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (202713 => 202714)

--- trunk/Source/_javascript_Core/ChangeLog	2016-06-30 22:29:32 UTC (rev 202713)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-06-30 22:35:30 UTC (rev 202714)
@@ -1,5 +1,17 @@
 2016-06-30  Saam Barati  <sbar...@apple.com>
 
+        missing exception checks in arrayProtoFuncReverse
+        https://bugs.webkit.org/show_bug.cgi?id=159319
+        <rdar://problem/27083696>
+
+        Reviewed by Filip Pizlo.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncReverse):
+
+2016-06-30  Saam Barati  <sbar...@apple.com>
+
         get_by_id_with_this does not trigger a to_this in caller.
         https://bugs.webkit.org/show_bug.cgi?id=159226
 

Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (202713 => 202714)

--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2016-06-30 22:29:32 UTC (rev 202713)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2016-06-30 22:35:30 UTC (rev 202714)
@@ -344,6 +344,8 @@
     
     // 2. Let func be the result of calling the [[Get]] internal method of array with argument "join".
     JSValue function = JSValue(thisObject).get(exec, exec->propertyNames().join);
+    if (UNLIKELY(vm.exception()))
+        return JSValue::encode(jsUndefined());
 
     // 3. If IsCallable(func) is false, then let func be the standard built-in method Object.prototype.toString (15.2.4.2).
     bool customJoinCase = false;
@@ -716,15 +718,21 @@
         if (vm.exception())
             return JSValue::encode(jsUndefined());
         JSValue lowerValue;
-        if (lowerExists)
+        if (lowerExists) {
             lowerValue = thisObject->get(exec, lower);
+            if (UNLIKELY(vm.exception()))
+                return JSValue::encode(jsUndefined());
+        }
 
         bool upperExists = thisObject->hasProperty(exec, upper);
-        if (vm.exception())
+        if (UNLIKELY(vm.exception()))
             return JSValue::encode(jsUndefined());
         JSValue upperValue;
-        if (upperExists)
+        if (upperExists) {
             upperValue = thisObject->get(exec, upper);
+            if (UNLIKELY(vm.exception()))
+                return JSValue::encode(jsUndefined());
+        }
 
         if (upperExists) {
             thisObject->putByIndexInline(exec, lower, upperValue, true);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes