Title: [236123] releases/WebKitGTK/webkit-2.22
- Revision
- 236123
- Author
- carlo...@webkit.org
- Date
- 2018-09-18 06:32:18 -0700 (Tue, 18 Sep 2018)
Log Message
Merge r235554 - Fix exception check accounting in JSDataView::defineOwnProperty().
https://bugs.webkit.org/show_bug.cgi?id=189186
<rdar://problem/39786049>
Reviewed by Michael Saboff.
JSTests:
* stress/regress-189186.js: Added.
Source/_javascript_Core:
* runtime/JSDataView.cpp:
(JSC::JSDataView::defineOwnProperty):
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (236122 => 236123)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-09-18 13:32:12 UTC (rev 236122)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-09-18 13:32:18 UTC (rev 236123)
@@ -1,5 +1,15 @@
2018-08-31 Mark Lam <mark....@apple.com>
+ Fix exception check accounting in JSDataView::defineOwnProperty().
+ https://bugs.webkit.org/show_bug.cgi?id=189186
+ <rdar://problem/39786049>
+
+ Reviewed by Michael Saboff.
+
+ * stress/regress-189186.js: Added.
+
+2018-08-31 Mark Lam <mark....@apple.com>
+
Add missing exception check in arrayProtoFuncLastIndexOf().
https://bugs.webkit.org/show_bug.cgi?id=189184
<rdar://problem/39785959>
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189186.js (0 => 236123)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189186.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189186.js 2018-09-18 13:32:18 UTC (rev 236123)
@@ -0,0 +1,4 @@
+//@ runDefault
+// This test passes if it does not crash.
+let x = new DataView(new ArrayBuffer(1));
+Object.defineProperty(x, 'foo', {});
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236122 => 236123)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-09-18 13:32:12 UTC (rev 236122)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-09-18 13:32:18 UTC (rev 236123)
@@ -1,5 +1,16 @@
2018-08-31 Mark Lam <mark....@apple.com>
+ Fix exception check accounting in JSDataView::defineOwnProperty().
+ https://bugs.webkit.org/show_bug.cgi?id=189186
+ <rdar://problem/39786049>
+
+ Reviewed by Michael Saboff.
+
+ * runtime/JSDataView.cpp:
+ (JSC::JSDataView::defineOwnProperty):
+
+2018-08-31 Mark Lam <mark....@apple.com>
+
Add missing exception check in arrayProtoFuncLastIndexOf().
https://bugs.webkit.org/show_bug.cgi?id=189184
<rdar://problem/39785959>
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSDataView.cpp (236122 => 236123)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSDataView.cpp 2018-09-18 13:32:12 UTC (rev 236122)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSDataView.cpp 2018-09-18 13:32:18 UTC (rev 236123)
@@ -151,6 +151,7 @@
|| propertyName == vm.propertyNames->byteOffset)
return typeError(exec, scope, shouldThrow, "Attempting to define read-only typed array property."_s);
+ scope.release();
return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
