Title: [224568] releases/WebKitGTK/webkit-2.18
- Revision
- 224568
- Author
- carlo...@webkit.org
- Date
- 2017-11-08 00:22:40 -0800 (Wed, 08 Nov 2017)
Log Message
Merge r221711 - constructGenericTypedArrayViewWithArguments() is missing an exception check.
https://bugs.webkit.org/show_bug.cgi?id=176485
<rdar://problem/33898874>
Reviewed by Keith Miller.
JSTests:
* stress/regress-176485.js: Added.
Source/_javascript_Core:
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (224567 => 224568)
--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2017-11-08 07:25:40 UTC (rev 224567)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2017-11-08 08:22:40 UTC (rev 224568)
@@ -1,3 +1,13 @@
+2017-09-06 Mark Lam <mark....@apple.com>
+
+ constructGenericTypedArrayViewWithArguments() is missing an exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=176485
+ <rdar://problem/33898874>
+
+ Reviewed by Keith Miller.
+
+ * stress/regress-176485.js: Added.
+
2017-10-09 Oleksandr Skachkov <gskach...@gmail.com>
Safari 10 /11 problem with if (!await get(something)).
Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-176485.js (0 => 224568)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-176485.js (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-176485.js 2017-11-08 08:22:40 UTC (rev 224568)
@@ -0,0 +1,11 @@
+var exception;
+try {
+ a2 = {};//some method ok//what ever object//Date()
+ Object.defineProperty(a2, "length",{get: Int32Array});//Int32Array here wrong,need a function
+ new Int32Array(this.a2);
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "TypeError: calling Int32Array constructor without new is invalid")
+ throw "Exception not thrown";
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (224567 => 224568)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2017-11-08 07:25:40 UTC (rev 224567)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2017-11-08 08:22:40 UTC (rev 224568)
@@ -1,3 +1,14 @@
+2017-09-06 Mark Lam <mark....@apple.com>
+
+ constructGenericTypedArrayViewWithArguments() is missing an exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=176485
+ <rdar://problem/33898874>
+
+ Reviewed by Keith Miller.
+
+ * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+ (JSC::constructGenericTypedArrayViewWithArguments):
+
2017-10-24 Guillaume Emont <guijem...@igalia.com>
[mips] fix offsets of branches that have to go over a jump
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h (224567 => 224568)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2017-11-08 07:25:40 UTC (rev 224567)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2017-11-08 08:22:40 UTC (rev 224568)
@@ -185,8 +185,14 @@
return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
}
- length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
- RETURN_IF_EXCEPTION(scope, nullptr);
+ if (lengthSlot.isUnset())
+ length = 0;
+ else {
+ JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length);
+ RETURN_IF_EXCEPTION(scope, nullptr);
+ length = value.toUInt32(exec);
+ RETURN_IF_EXCEPTION(scope, nullptr);
+ }
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
