[webkit-changes] [221962] branches/safari-604-branch

Wed, 13 Sep 2017 01:03:11 -0700

Title: [221962] branches/safari-604-branch

Diff

Modified: branches/safari-604-branch/JSTests/ChangeLog (221961 => 221962)


--- branches/safari-604-branch/JSTests/ChangeLog	2017-09-13 07:37:13 UTC (rev 221961)
+++ branches/safari-604-branch/JSTests/ChangeLog	2017-09-13 08:02:54 UTC (rev 221962)
@@ -1,3 +1,17 @@
+2017-09-12  Jason Marcell  <jmarc...@apple.com>
+
+        Cherry-pick r221711. rdar://problem/34404472
+
+    2017-09-06  Mark Lam  <mark....@apple.com>
+
+            constructGenericTypedArrayViewWithArguments() is missing an exception check.
+            https://bugs.webkit.org/show_bug.cgi?id=176485
+            <rdar://problem/33898874>
+
+            Reviewed by Keith Miller.
+
+            * stress/regress-176485.js: Added.
+
 2017-07-31  Jason Marcell  <jmarc...@apple.com>
 
         Cherry-pick r220012. rdar://problem/33619526

Added: branches/safari-604-branch/JSTests/stress/regress-176485.js (0 => 221962)


--- branches/safari-604-branch/JSTests/stress/regress-176485.js	                        (rev 0)
+++ branches/safari-604-branch/JSTests/stress/regress-176485.js	2017-09-13 08:02:54 UTC (rev 221962)
@@ -0,0 +1,11 @@
+var exception;
+try {
+    a2 = {};//some method ok//what ever object//Date()
+    Object.defineProperty(a2, "length",{get: Int32Array});//Int32Array here wrong,need a function
+    new Int32Array(this.a2);
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "TypeError: calling Int32Array constructor without new is invalid")
+    throw "Exception not thrown";

Modified: branches/safari-604-branch/Source/_javascript_Core/ChangeLog (221961 => 221962)


--- branches/safari-604-branch/Source/_javascript_Core/ChangeLog	2017-09-13 07:37:13 UTC (rev 221961)
+++ branches/safari-604-branch/Source/_javascript_Core/ChangeLog	2017-09-13 08:02:54 UTC (rev 221962)
@@ -1,3 +1,18 @@
+2017-09-12  Jason Marcell  <jmarc...@apple.com>
+
+        Cherry-pick r221711. rdar://problem/34404472
+
+    2017-09-06  Mark Lam  <mark....@apple.com>
+
+            constructGenericTypedArrayViewWithArguments() is missing an exception check.
+            https://bugs.webkit.org/show_bug.cgi?id=176485
+            <rdar://problem/33898874>
+
+            Reviewed by Keith Miller.
+
+            * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+            (JSC::constructGenericTypedArrayViewWithArguments):
+
 2017-08-09  Jason Marcell  <jmarc...@apple.com>
 
         Cherry-pick r220473. rdar://problem/33810961

Modified: branches/safari-604-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h (221961 => 221962)


--- branches/safari-604-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h	2017-09-13 07:37:13 UTC (rev 221961)
+++ branches/safari-604-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h	2017-09-13 08:02:54 UTC (rev 221962)
@@ -185,8 +185,14 @@
                     return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
             }
 
-            length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
-            RETURN_IF_EXCEPTION(scope, nullptr);
+            if (lengthSlot.isUnset())
+                length = 0;
+            else {
+                JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+                length = value.toUInt32(exec);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+            }
         }
 
         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to