Title: [211278] branches/safari-603-branch
- Revision
- 211278
- Author
- matthew_han...@apple.com
- Date
- 2017-01-27 01:18:51 -0800 (Fri, 27 Jan 2017)
Log Message
Merge r211246. rdar://problem/29916672
Modified Paths
Added Paths
Diff
Modified: branches/safari-603-branch/JSTests/ChangeLog (211277 => 211278)
--- branches/safari-603-branch/JSTests/ChangeLog 2017-01-27 08:54:23 UTC (rev 211277)
+++ branches/safari-603-branch/JSTests/ChangeLog 2017-01-27 09:18:51 UTC (rev 211278)
@@ -1,3 +1,17 @@
+2017-01-27 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r211246. rdar://problem/29916672
+
+ 2017-01-26 Mark Lam <mark....@apple.com>
+
+ Fix missing exception check in genericTypedArrayViewProtoFuncSet().
+ https://bugs.webkit.org/show_bug.cgi?id=166812
+ <rdar://problem/29916672>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-166812.js: Added.
+
2017-01-26 Matthew Hanson <matthew_han...@apple.com>
Merge r211224. rdar://problem/29144126
Added: branches/safari-603-branch/JSTests/stress/regress-166812.js (0 => 211278)
--- branches/safari-603-branch/JSTests/stress/regress-166812.js (rev 0)
+++ branches/safari-603-branch/JSTests/stress/regress-166812.js 2017-01-27 09:18:51 UTC (rev 211278)
@@ -0,0 +1,17 @@
+function shouldEqual(actual, expected) {
+ if (actual != expected) {
+ throw "ERROR: expect " + expected + ", actual " + actual;
+ }
+}
+
+(function() {
+ var exception;
+ var x = new Uint32Array(0x10);
+ try {
+ x.set(x.__proto__, 0);
+ } catch (e) {
+ exception = e;
+ }
+
+ shouldEqual(exception, "TypeError: Receiver should be a typed array view");
+})();
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (211277 => 211278)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-27 08:54:23 UTC (rev 211277)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-27 09:18:51 UTC (rev 211278)
@@ -1,3 +1,18 @@
+2017-01-27 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r211246. rdar://problem/29916672
+
+ 2017-01-26 Mark Lam <mark....@apple.com>
+
+ Fix missing exception check in genericTypedArrayViewProtoFuncSet().
+ https://bugs.webkit.org/show_bug.cgi?id=166812
+ <rdar://problem/29916672>
+
+ Reviewed by Saam Barati.
+
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::genericTypedArrayViewProtoFuncSet):
+
2017-01-26 Matthew Hanson <matthew_han...@apple.com>
Merge r211224. rdar://problem/29144126
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (211277 => 211278)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2017-01-27 08:54:23 UTC (rev 211277)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2017-01-27 09:18:51 UTC (rev 211278)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -134,8 +134,11 @@
return throwVMTypeError(exec, scope, typedArrayBufferHasBeenDetachedErrorMessage);
length = jsCast<JSArrayBufferView*>(sourceArray)->length();
- } else
- length = sourceArray->get(exec, vm.propertyNames->length).toUInt32(exec);
+ } else {
+ JSValue lengthValue = sourceArray->get(exec, vm.propertyNames->length);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ length = lengthValue.toUInt32(exec);
+ }
RETURN_IF_EXCEPTION(scope, encodedJSValue());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
