Diff
Modified: branches/safari-613-branch/LayoutTests/ChangeLog (290685 => 290686)
--- branches/safari-613-branch/LayoutTests/ChangeLog 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/LayoutTests/ChangeLog 2022-03-01 23:49:04 UTC (rev 290686)
@@ -1,5 +1,79 @@
2022-02-28 Russell Epstein <repst...@apple.com>
+ Cherry-pick r289462. rdar://problem/88580935
+
+ Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject
+ https://bugs.webkit.org/show_bug.cgi?id=236318
+ <rdar://88580935>
+
+ Reviewed by Mark Lam.
+
+ Source/WebCore:
+
+ This patch makes it so we might not accidentally return the empty value to
+ _javascript_ code from JSValueInWrappedObject. Previously, JSValueInWrappedObject
+ had an "operator JSValue()" method. This patch removes that, adds a new
+ conversion method for converting between JSValueInWrappedObject and JSValue,
+ and makes JSValueInWrappedObject return undefined inside this method
+ when it used to return the empty value. This fixes a crash where we'd return
+ the empty value to JS JIT code, and crash dereferencing a nullptr. It's never
+ valid for a JS function call (or getter, etc) to return the empty value.
+
+ Test: fast/dom/AbortSignal-reason-crash-2.html
+
+ * Modules/webaudio/AudioBuffer.cpp:
+ (WebCore::AudioBuffer::getChannelData):
+ * Modules/webaudio/AudioWorkletProcessor.cpp:
+ (WebCore::toJSArray):
+ (WebCore::toJSObject):
+ (WebCore::AudioWorkletProcessor::buildJSArguments):
+ * bindings/js/JSCustomEventCustom.cpp:
+ (WebCore::JSCustomEvent::detail const):
+ * bindings/js/JSDOMConvertAny.h:
+ (WebCore::JSConverter<IDLAny>::convert):
+ * bindings/js/JSMessageEventCustom.cpp:
+ (WebCore::JSMessageEvent::data const):
+ * bindings/js/JSPaymentMethodChangeEventCustom.cpp:
+ (WebCore::JSPaymentMethodChangeEvent::methodDetails const):
+ * bindings/js/JSPopStateEventCustom.cpp:
+ (WebCore::JSPopStateEvent::state const):
+ * bindings/js/JSValueInWrappedObject.h:
+ (WebCore::JSValueInWrappedObject::getValue const):
+ (WebCore::JSValueInWrappedObject::operator bool const):
+ (WebCore::cachedPropertyValue):
+ (WebCore::JSValueInWrappedObject::operator JSC::JSValue const): Deleted.
+ * dom/AbortSignal.cpp:
+ (WebCore::AbortSignal::signalFollow):
+ (WebCore::AbortSignal::throwIfAborted):
+ * dom/ErrorEvent.cpp:
+ (WebCore::ErrorEvent::error):
+ (WebCore::ErrorEvent::trySerializeError):
+ * dom/PopStateEvent.cpp:
+ (WebCore::PopStateEvent::trySerializeState):
+ * page/History.cpp:
+ (WebCore::History::cachedState):
+
+ LayoutTests:
+
+ * fast/dom/AbortSignal-reason-crash-2-expected.txt: Added.
+ * fast/dom/AbortSignal-reason-crash-2.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@289462 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-09 Saam Barati <sbar...@apple.com>
+
+ Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject
+ https://bugs.webkit.org/show_bug.cgi?id=236318
+ <rdar://88580935>
+
+ Reviewed by Mark Lam.
+
+ * fast/dom/AbortSignal-reason-crash-2-expected.txt: Added.
+ * fast/dom/AbortSignal-reason-crash-2.html: Added.
+
+2022-02-28 Russell Epstein <repst...@apple.com>
+
Cherry-pick r289377. rdar://problem/88178304
Return 'none' for the computed style of mask when there are no mask images
Added: branches/safari-613-branch/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt (0 => 290686)
--- branches/safari-613-branch/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt (rev 0)
+++ branches/safari-613-branch/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt 2022-03-01 23:49:04 UTC (rev 290686)
@@ -0,0 +1,12 @@
+Test should not crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-613-branch/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html (0 => 290686)
--- branches/safari-613-branch/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html (rev 0)
+++ branches/safari-613-branch/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html 2022-03-01 23:49:04 UTC (rev 290686)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+
+description("Test should not crash");
+window.jsTestIsAsync = true;
+(async () => {
+ try {
+ let abortController = new AbortController();
+ abortController.abort();
+ GCController.collect();
+ let x = abortController.signal.reason;
+ try { x.foo; } catch { }
+ finishJSTest();
+ } catch(e) {
+ console.log("saw exception!!!");
+ finishJSTest();
+ }
+})();
+
+</script>
+<script src=""
+</body>
+</html>
Modified: branches/safari-613-branch/Source/WebCore/ChangeLog (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/ChangeLog 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/ChangeLog 2022-03-01 23:49:04 UTC (rev 290686)
@@ -1,5 +1,119 @@
2022-02-28 Russell Epstein <repst...@apple.com>
+ Cherry-pick r289462. rdar://problem/88580935
+
+ Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject
+ https://bugs.webkit.org/show_bug.cgi?id=236318
+ <rdar://88580935>
+
+ Reviewed by Mark Lam.
+
+ Source/WebCore:
+
+ This patch makes it so we might not accidentally return the empty value to
+ _javascript_ code from JSValueInWrappedObject. Previously, JSValueInWrappedObject
+ had an "operator JSValue()" method. This patch removes that, adds a new
+ conversion method for converting between JSValueInWrappedObject and JSValue,
+ and makes JSValueInWrappedObject return undefined inside this method
+ when it used to return the empty value. This fixes a crash where we'd return
+ the empty value to JS JIT code, and crash dereferencing a nullptr. It's never
+ valid for a JS function call (or getter, etc) to return the empty value.
+
+ Test: fast/dom/AbortSignal-reason-crash-2.html
+
+ * Modules/webaudio/AudioBuffer.cpp:
+ (WebCore::AudioBuffer::getChannelData):
+ * Modules/webaudio/AudioWorkletProcessor.cpp:
+ (WebCore::toJSArray):
+ (WebCore::toJSObject):
+ (WebCore::AudioWorkletProcessor::buildJSArguments):
+ * bindings/js/JSCustomEventCustom.cpp:
+ (WebCore::JSCustomEvent::detail const):
+ * bindings/js/JSDOMConvertAny.h:
+ (WebCore::JSConverter<IDLAny>::convert):
+ * bindings/js/JSMessageEventCustom.cpp:
+ (WebCore::JSMessageEvent::data const):
+ * bindings/js/JSPaymentMethodChangeEventCustom.cpp:
+ (WebCore::JSPaymentMethodChangeEvent::methodDetails const):
+ * bindings/js/JSPopStateEventCustom.cpp:
+ (WebCore::JSPopStateEvent::state const):
+ * bindings/js/JSValueInWrappedObject.h:
+ (WebCore::JSValueInWrappedObject::getValue const):
+ (WebCore::JSValueInWrappedObject::operator bool const):
+ (WebCore::cachedPropertyValue):
+ (WebCore::JSValueInWrappedObject::operator JSC::JSValue const): Deleted.
+ * dom/AbortSignal.cpp:
+ (WebCore::AbortSignal::signalFollow):
+ (WebCore::AbortSignal::throwIfAborted):
+ * dom/ErrorEvent.cpp:
+ (WebCore::ErrorEvent::error):
+ (WebCore::ErrorEvent::trySerializeError):
+ * dom/PopStateEvent.cpp:
+ (WebCore::PopStateEvent::trySerializeState):
+ * page/History.cpp:
+ (WebCore::History::cachedState):
+
+ LayoutTests:
+
+ * fast/dom/AbortSignal-reason-crash-2-expected.txt: Added.
+ * fast/dom/AbortSignal-reason-crash-2.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@289462 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-09 Saam Barati <sbar...@apple.com>
+
+ Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject
+ https://bugs.webkit.org/show_bug.cgi?id=236318
+ <rdar://88580935>
+
+ Reviewed by Mark Lam.
+
+ This patch makes it so we might not accidentally return the empty value to
+ _javascript_ code from JSValueInWrappedObject. Previously, JSValueInWrappedObject
+ had an "operator JSValue()" method. This patch removes that, adds a new
+ conversion method for converting between JSValueInWrappedObject and JSValue,
+ and makes JSValueInWrappedObject return undefined inside this method
+ when it used to return the empty value. This fixes a crash where we'd return
+ the empty value to JS JIT code, and crash dereferencing a nullptr. It's never
+ valid for a JS function call (or getter, etc) to return the empty value.
+
+ Test: fast/dom/AbortSignal-reason-crash-2.html
+
+ * Modules/webaudio/AudioBuffer.cpp:
+ (WebCore::AudioBuffer::getChannelData):
+ * Modules/webaudio/AudioWorkletProcessor.cpp:
+ (WebCore::toJSArray):
+ (WebCore::toJSObject):
+ (WebCore::AudioWorkletProcessor::buildJSArguments):
+ * bindings/js/JSCustomEventCustom.cpp:
+ (WebCore::JSCustomEvent::detail const):
+ * bindings/js/JSDOMConvertAny.h:
+ (WebCore::JSConverter<IDLAny>::convert):
+ * bindings/js/JSMessageEventCustom.cpp:
+ (WebCore::JSMessageEvent::data const):
+ * bindings/js/JSPaymentMethodChangeEventCustom.cpp:
+ (WebCore::JSPaymentMethodChangeEvent::methodDetails const):
+ * bindings/js/JSPopStateEventCustom.cpp:
+ (WebCore::JSPopStateEvent::state const):
+ * bindings/js/JSValueInWrappedObject.h:
+ (WebCore::JSValueInWrappedObject::getValue const):
+ (WebCore::JSValueInWrappedObject::operator bool const):
+ (WebCore::cachedPropertyValue):
+ (WebCore::JSValueInWrappedObject::operator JSC::JSValue const): Deleted.
+ * dom/AbortSignal.cpp:
+ (WebCore::AbortSignal::signalFollow):
+ (WebCore::AbortSignal::throwIfAborted):
+ * dom/ErrorEvent.cpp:
+ (WebCore::ErrorEvent::error):
+ (WebCore::ErrorEvent::trySerializeError):
+ * dom/PopStateEvent.cpp:
+ (WebCore::PopStateEvent::trySerializeState):
+ * page/History.cpp:
+ (WebCore::History::cachedState):
+
+2022-02-28 Russell Epstein <repst...@apple.com>
+
Cherry-pick r289443. rdar://problem/88593617
REGRESSION (15.4): Angular virtual scrollers no longer work (because of contain:strict)
Modified: branches/safari-613-branch/Source/WebCore/Modules/webaudio/AudioBuffer.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/Modules/webaudio/AudioBuffer.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/Modules/webaudio/AudioBuffer.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -160,7 +160,7 @@
if (globalObject.worldIsNormal()) {
if (!m_channelWrappers[channelIndex])
m_channelWrappers[channelIndex].setWeakly(constructJSArray());
- return static_cast<JSC::JSValue>(m_channelWrappers[channelIndex]);
+ return m_channelWrappers[channelIndex].getValue();
}
return constructJSArray();
}
Modified: branches/safari-613-branch/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -57,12 +57,12 @@
static JSArray* toJSArray(JSValueInWrappedObject& wrapper)
{
- return wrapper ? jsCast<JSArray*>(static_cast<JSValue>(wrapper)) : nullptr;
+ return wrapper ? jsCast<JSArray*>(wrapper.getValue()) : nullptr;
}
static JSObject* toJSObject(JSValueInWrappedObject& wrapper)
{
- return wrapper ? jsCast<JSObject*>(static_cast<JSValue>(wrapper)) : nullptr;
+ return wrapper ? jsCast<JSObject*>(wrapper.getValue()) : nullptr;
}
static JSFloat32Array* constructJSFloat32Array(JSGlobalObject& globalObject, unsigned length, const float* data = ""
@@ -218,15 +218,15 @@
// For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes.
if (!copyDataFromBusesToJSArray(vm, globalObject, inputs, toJSArray(m_jsInputs)))
m_jsInputs = { constructFrozenJSArray(vm, globalObject, inputs, ShouldPopulateWithBusData::Yes) };
- args.append(m_jsInputs);
+ args.append(m_jsInputs.getValue());
if (!zeroJSArray(vm, globalObject, outputs, toJSArray(m_jsOutputs)))
m_jsOutputs = { constructFrozenJSArray(vm, globalObject, outputs, ShouldPopulateWithBusData::No) };
- args.append(m_jsOutputs);
+ args.append(m_jsOutputs.getValue());
if (!copyDataFromParameterMapToJSObject(vm, globalObject, paramValuesMap, toJSObject(m_jsParamValues)))
m_jsParamValues = { constructFrozenKeyValueObject(vm, globalObject, paramValuesMap) };
- args.append(m_jsParamValues);
+ args.append(m_jsParamValues.getValue());
}
bool AudioWorkletProcessor::process(const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const HashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap, bool& threwException)
Modified: branches/safari-613-branch/Source/WebCore/bindings/js/JSCustomEventCustom.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/bindings/js/JSCustomEventCustom.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/JSCustomEventCustom.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -37,8 +37,7 @@
JSC::JSValue JSCustomEvent::detail(JSC::JSGlobalObject& lexicalGlobalObject) const
{
return cachedPropertyValue(lexicalGlobalObject, *this, wrapped().cachedDetail(), [this] {
- JSC::JSValue detail = wrapped().detail();
- return detail ? detail : JSC::jsNull();
+ return wrapped().detail().getValue(JSC::jsNull());
});
}
Modified: branches/safari-613-branch/Source/WebCore/bindings/js/JSDOMConvertAny.h (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/bindings/js/JSDOMConvertAny.h 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/JSDOMConvertAny.h 2022-03-01 23:49:04 UTC (rev 290686)
@@ -27,6 +27,7 @@
#include "IDLTypes.h"
#include "JSDOMConvertBase.h"
+#include "JSValueInWrappedObject.h"
namespace WebCore {
@@ -59,6 +60,11 @@
{
return value.get();
}
+
+ static JSC::JSValue convert(const JSValueInWrappedObject& value)
+ {
+ return value.getValue();
+ }
};
template<> struct VariadicConverter<IDLAny> {
Modified: branches/safari-613-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -55,8 +55,8 @@
JSC::JSValue JSMessageEvent::data(JSC::JSGlobalObject& lexicalGlobalObject) const
{
return cachedPropertyValue(lexicalGlobalObject, *this, wrapped().cachedData(), [this, &lexicalGlobalObject] {
- return WTF::switchOn(wrapped().data(), [] (JSC::JSValue data) {
- return data ? data : JSC::jsNull();
+ return WTF::switchOn(wrapped().data(), [] (const JSValueInWrappedObject& data) {
+ return data.getValue(JSC::jsNull());
}, [this, &lexicalGlobalObject] (const Ref<SerializedScriptValue>& data) {
// FIXME: Is it best to handle errors by returning null rather than throwing an exception?
return data->deserialize(lexicalGlobalObject, globalObject(), wrapped().ports(), SerializationErrorMode::NonThrowing);
Modified: branches/safari-613-branch/Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -33,8 +33,8 @@
JSC::JSValue JSPaymentMethodChangeEvent::methodDetails(JSC::JSGlobalObject& lexicalGlobalObject) const
{
return cachedPropertyValue(lexicalGlobalObject, *this, wrapped().cachedMethodDetails(), [this, &lexicalGlobalObject] {
- return WTF::switchOn(wrapped().methodDetails(), [](JSC::JSValue methodDetails) -> JSC::JSValue {
- return methodDetails ? methodDetails : JSC::jsNull();
+ return WTF::switchOn(wrapped().methodDetails(), [](const JSValueInWrappedObject& methodDetails) -> JSC::JSValue {
+ return methodDetails.getValue(JSC::jsNull());
}, [&lexicalGlobalObject](const PaymentMethodChangeEvent::MethodDetailsFunction& function) -> JSC::JSValue {
return function(lexicalGlobalObject).get();
});
Modified: branches/safari-613-branch/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -57,7 +57,8 @@
PopStateEvent& event = wrapped();
- if (JSC::JSValue eventState = event.state()) {
+ if (event.state()) {
+ JSC::JSValue eventState = event.state().getValue();
// We need to make sure a PopStateEvent does not leak objects in its lexicalGlobalObject property across isolated DOM worlds.
// Ideally, we would check that the worlds have different privileges but that's not possible yet.
if (!isWorldCompatible(lexicalGlobalObject, eventState)) {
Modified: branches/safari-613-branch/Source/WebCore/bindings/js/JSValueInWrappedObject.h (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/bindings/js/JSValueInWrappedObject.h 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/JSValueInWrappedObject.h 2022-03-01 23:49:04 UTC (rev 290686)
@@ -44,7 +44,6 @@
JSValueInWrappedObject(JSValueInWrappedObject&&) = default;
JSValueInWrappedObject& operator=(JSValueInWrappedObject&&) = default;
- operator JSC::JSValue() const;
explicit operator bool() const;
template<typename Visitor> void visit(Visitor&) const;
void clear();
@@ -51,6 +50,7 @@
void set(JSC::VM&, const JSC::JSCell* owner, JSC::JSValue);
void setWeakly(JSC::JSValue);
+ JSC::JSValue getValue(JSC::JSValue nullValue = JSC::jsUndefined()) const;
// FIXME: Remove this once IDBRequest semantic bug is fixed.
// https://bugs.webkit.org/show_bug.cgi?id=236278
@@ -69,16 +69,16 @@
setWeakly(value);
}
-inline JSValueInWrappedObject::operator JSC::JSValue() const
+inline JSC::JSValue JSValueInWrappedObject::getValue(JSC::JSValue nullValue) const
{
if (m_nonCell)
return m_nonCell;
- return m_cell.get();
+ return m_cell ? m_cell.get() : nullValue;
}
inline JSValueInWrappedObject::operator bool() const
{
- return JSC::JSValue { *this }.operator bool();
+ return m_nonCell || m_cell;
}
template<typename Visitor>
@@ -125,12 +125,12 @@
inline JSC::JSValue cachedPropertyValue(JSC::JSGlobalObject& lexicalGlobalObject, const JSDOMObject& owner, JSValueInWrappedObject& cachedValue, const Function<JSC::JSValue()>& function)
{
- if (cachedValue && isWorldCompatible(lexicalGlobalObject, cachedValue))
- return cachedValue;
+ if (cachedValue && isWorldCompatible(lexicalGlobalObject, cachedValue.getValue()))
+ return cachedValue.getValue();
auto value = function();
cachedValue.set(lexicalGlobalObject.vm(), &owner, cloneAcrossWorlds(lexicalGlobalObject, owner, value));
- ASSERT(isWorldCompatible(lexicalGlobalObject, cachedValue));
- return cachedValue;
+ ASSERT(isWorldCompatible(lexicalGlobalObject, cachedValue.getValue()));
+ return cachedValue.getValue();
}
} // namespace WebCore
Modified: branches/safari-613-branch/Source/WebCore/dom/AbortSignal.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/dom/AbortSignal.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/dom/AbortSignal.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -90,7 +90,7 @@
return;
if (signal.aborted()) {
- signalAbort(signal.reason());
+ signalAbort(signal.reason().getValue());
return;
}
@@ -98,7 +98,7 @@
m_followingSignal = signal;
signal.addAlgorithm([weakThis = WeakPtr { this }] {
if (weakThis)
- weakThis->signalAbort(weakThis->m_followingSignal ? static_cast<JSC::JSValue>(weakThis->m_followingSignal->reason()) : JSC::jsUndefined());
+ weakThis->signalAbort(weakThis->m_followingSignal ? weakThis->m_followingSignal->reason().getValue() : JSC::jsUndefined());
});
}
@@ -121,7 +121,7 @@
auto& vm = lexicalGlobalObject.vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- throwException(&lexicalGlobalObject, scope, m_reason);
+ throwException(&lexicalGlobalObject, scope, m_reason.getValue());
}
} // namespace WebCore
Modified: branches/safari-613-branch/Source/WebCore/dom/ErrorEvent.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/dom/ErrorEvent.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/dom/ErrorEvent.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -77,10 +77,10 @@
JSValue ErrorEvent::error(JSGlobalObject& globalObject)
{
- JSValue error = m_error;
- if (!error)
+ if (!m_error)
return jsNull();
+ JSValue error = m_error.getValue();
if (!isWorldCompatible(globalObject, error)) {
// We need to make sure ErrorEvents do not leak their error property across isolated DOM worlds.
// Ideally, we would check that the worlds have different privileges but that's not possible yet.
@@ -96,7 +96,7 @@
RefPtr<SerializedScriptValue> ErrorEvent::trySerializeError(JSGlobalObject& exec)
{
if (!m_serializedError && !m_triedToSerialize) {
- m_serializedError = SerializedScriptValue::create(exec, m_error, SerializationErrorMode::NonThrowing);
+ m_serializedError = SerializedScriptValue::create(exec, m_error.getValue(), SerializationErrorMode::NonThrowing);
m_triedToSerialize = true;
}
return m_serializedError;
Modified: branches/safari-613-branch/Source/WebCore/dom/PopStateEvent.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/dom/PopStateEvent.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/dom/PopStateEvent.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -71,7 +71,7 @@
ASSERT(m_state);
if (!m_serializedState && !m_triedToSerialize) {
- m_serializedState = SerializedScriptValue::create(executionState, m_state, SerializationErrorMode::NonThrowing);
+ m_serializedState = SerializedScriptValue::create(executionState, m_state.getValue(), SerializationErrorMode::NonThrowing);
m_triedToSerialize = true;
}
Modified: branches/safari-613-branch/Source/WebCore/page/History.cpp (290685 => 290686)
--- branches/safari-613-branch/Source/WebCore/page/History.cpp 2022-03-01 23:48:58 UTC (rev 290685)
+++ branches/safari-613-branch/Source/WebCore/page/History.cpp 2022-03-01 23:49:04 UTC (rev 290686)
@@ -114,7 +114,7 @@
JSValueInWrappedObject& History::cachedState()
{
if (m_cachedState && stateChanged())
- m_cachedState = { };
+ m_cachedState.clear();
return m_cachedState;
}
