Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (209030 => 209031)
--- trunk/Source/_javascript_Core/ChangeLog 2016-11-28 23:23:40 UTC (rev 209030)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-11-28 23:30:59 UTC (rev 209031)
@@ -1,5 +1,26 @@
2016-11-28 Mark Lam <mark....@apple.com>
+ Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
+ https://bugs.webkit.org/show_bug.cgi?id=165022
+
+ Reviewed by Saam Barati.
+
+ * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+ (JSC::constructGenericTypedArrayViewFromIterator):
+ (JSC::constructGenericTypedArrayViewWithArguments):
+ (JSC::constructGenericTypedArrayView):
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::set):
+ (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::speciesConstruct):
+ (JSC::genericTypedArrayViewProtoFuncSet):
+ (JSC::genericTypedArrayViewProtoFuncJoin):
+ (JSC::genericTypedArrayViewProtoFuncSlice):
+ (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+
+2016-11-28 Mark Lam <mark....@apple.com>
+
Fix exception scope verification failures in runtime/Operations.cpp/h.
https://bugs.webkit.org/show_bug.cgi?id=165046
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h (209030 => 209031)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2016-11-28 23:23:40 UTC (rev 209030)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewConstructorInlines.h 2016-11-28 23:30:59 UTC (rev 209031)
@@ -100,14 +100,15 @@
}
ViewClass* result = ViewClass::createUninitialized(exec, structure, storage.size());
- if (!result)
- RETURN_IF_EXCEPTION(scope, nullptr);
+ ASSERT(!!scope.exception() == !result);
+ if (UNLIKELY(!result))
+ return nullptr;
for (unsigned i = 0; i < storage.size(); ++i) {
- if (!result->setIndex(exec, i, storage.at(i))) {
- ASSERT(scope.exception());
+ bool success = result->setIndex(exec, i, storage.at(i));
+ ASSERT(scope.exception() || success);
+ if (!success)
return nullptr;
- }
}
return result;
@@ -133,6 +134,7 @@
length = (buffer->byteLength() - offset) / ViewClass::elementSize;
}
+ scope.release();
return ViewClass::create(exec, structure, buffer, offset, length);
}
ASSERT(!offset && !lengthOpt);
@@ -154,6 +156,7 @@
// So we use VMInquiry. And purge the opaque object cases (proxy and namespace object) by isTaintedByOpaqueObject() guard.
PropertySlot lengthSlot(object, PropertySlot::InternalMethodType::VMInquiry);
object->getPropertySlot(exec, vm.propertyNames->length, lengthSlot);
+ RETURN_IF_EXCEPTION(scope, nullptr);
JSValue iteratorFunc = object->get(exec, vm.propertyNames->iteratorSymbol);
RETURN_IF_EXCEPTION(scope, nullptr);
@@ -178,6 +181,7 @@
JSValue iterator = call(exec, iteratorFunc, callType, callData, object, arguments);
RETURN_IF_EXCEPTION(scope, nullptr);
+ scope.release();
return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
}
@@ -187,11 +191,11 @@
ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
- if (!result) {
- ASSERT(scope.exception());
+ ASSERT(!!scope.exception() == !result);
+ if (UNLIKELY(!result))
return nullptr;
- }
+ scope.release();
if (!result->set(exec, 0, object, 0, length))
return nullptr;
@@ -203,6 +207,7 @@
unsigned length = firstValue.toIndex(exec, "length");
RETURN_IF_EXCEPTION(scope, nullptr);
+ scope.release();
return ViewClass::create(exec, structure, length);
}
@@ -226,6 +231,7 @@
if (ViewClass::TypedArrayStorageType == TypeDataView)
return throwVMTypeError(exec, scope, ASCIILiteral("DataView constructor requires at least one argument."));
+ scope.release();
return JSValue::encode(ViewClass::create(exec, structure, 0));
}
@@ -251,6 +257,7 @@
}
}
+ scope.release();
return JSValue::encode(constructGenericTypedArrayViewWithArguments<ViewClass>(exec, structure, JSValue::encode(firstValue), offset, length));
}
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (209030 => 209031)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2016-11-28 23:23:40 UTC (rev 209030)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2016-11-28 23:30:59 UTC (rev 209031)
@@ -263,30 +263,39 @@
switch (ci->typedArrayStorageType) {
case TypeInt8:
+ scope.release();
return setWithSpecificType<Int8Adaptor>(
exec, offset, jsCast<JSInt8Array*>(object), objectOffset, length, type);
case TypeInt16:
+ scope.release();
return setWithSpecificType<Int16Adaptor>(
exec, offset, jsCast<JSInt16Array*>(object), objectOffset, length, type);
case TypeInt32:
+ scope.release();
return setWithSpecificType<Int32Adaptor>(
exec, offset, jsCast<JSInt32Array*>(object), objectOffset, length, type);
case TypeUint8:
+ scope.release();
return setWithSpecificType<Uint8Adaptor>(
exec, offset, jsCast<JSUint8Array*>(object), objectOffset, length, type);
case TypeUint8Clamped:
+ scope.release();
return setWithSpecificType<Uint8ClampedAdaptor>(
exec, offset, jsCast<JSUint8ClampedArray*>(object), objectOffset, length, type);
case TypeUint16:
+ scope.release();
return setWithSpecificType<Uint16Adaptor>(
exec, offset, jsCast<JSUint16Array*>(object), objectOffset, length, type);
case TypeUint32:
+ scope.release();
return setWithSpecificType<Uint32Adaptor>(
exec, offset, jsCast<JSUint32Array*>(object), objectOffset, length, type);
case TypeFloat32:
+ scope.release();
return setWithSpecificType<Float32Adaptor>(
exec, offset, jsCast<JSFloat32Array*>(object), objectOffset, length, type);
case TypeFloat64:
+ scope.release();
return setWithSpecificType<Float64Adaptor>(
exec, offset, jsCast<JSFloat64Array*>(object), objectOffset, length, type);
case NotTypedArray:
@@ -398,11 +407,13 @@
if (descriptor.value()) {
PutPropertySlot unused(JSValue(thisObject), shouldThrow);
+ scope.release();
return thisObject->put(thisObject, exec, propertyName, descriptor.value(), unused);
}
return true;
}
+ scope.release();
return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
}
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (209030 => 209031)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2016-11-28 23:23:40 UTC (rev 209030)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2016-11-28 23:30:59 UTC (rev 209031)
@@ -53,8 +53,10 @@
JSValue constructor = exemplar->get(exec, vm.propertyNames->constructor);
RETURN_IF_EXCEPTION(scope, nullptr);
- if (constructor.isUndefined())
+ if (constructor.isUndefined()) {
+ scope.release();
return defaultConstructor();
+ }
if (!constructor.isObject()) {
throwTypeError(exec, scope, ASCIILiteral("constructor Property should not be null"));
return nullptr;
@@ -63,8 +65,10 @@
JSValue species = constructor.get(exec, vm.propertyNames->speciesSymbol);
RETURN_IF_EXCEPTION(scope, nullptr);
- if (species.isUndefinedOrNull())
+ if (species.isUndefinedOrNull()) {
+ scope.release();
return defaultConstructor();
+ }
JSValue result = construct(exec, species, args, "species is not a constructor");
RETURN_IF_EXCEPTION(scope, nullptr);
@@ -135,6 +139,7 @@
RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ scope.release();
thisObject->set(exec, offset, sourceArray, 0, length, CopyType::Unobservable);
return JSValue::encode(jsUndefined());
}
@@ -273,6 +278,7 @@
joiner.append(*exec, thisObject->getIndexQuickly(i));
RETURN_IF_EXCEPTION(scope, encodedJSValue());
}
+ scope.release();
return JSValue::encode(joiner.join(*exec));
};
@@ -461,37 +467,44 @@
length = std::min(length, result->length());
switch (result->classInfo()->typedArrayStorageType) {
case TypeInt8:
+ scope.release();
jsCast<JSInt8Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeInt16:
+ scope.release();
jsCast<JSInt16Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeInt32:
+ scope.release();
jsCast<JSInt32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeUint8:
+ scope.release();
jsCast<JSUint8Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeUint8Clamped:
+ scope.release();
jsCast<JSUint8ClampedArray*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeUint16:
+ scope.release();
jsCast<JSUint16Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeUint32:
+ scope.release();
jsCast<JSUint32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeFloat32:
+ scope.release();
jsCast<JSFloat32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
case TypeFloat64:
+ scope.release();
jsCast<JSFloat64Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
- break;
+ return JSValue::encode(result);
default:
RELEASE_ASSERT_NOT_REACHED();
}
-
- return JSValue::encode(result);
}
template<typename ViewClass>
@@ -538,6 +551,7 @@
if (species == defaultConstructor) {
Structure* structure = callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
+ scope.release();
return JSValue::encode(ViewClass::create(
exec, structure, arrayBuffer,
thisObject->byteOffset() + offset * ViewClass::elementSize,
