Title: [239307] releases/WebKitGTK/webkit-2.22
- Revision
- 239307
- Author
- mcatanz...@igalia.com
- Date
- 2018-12-17 18:03:09 -0800 (Mon, 17 Dec 2018)
Log Message
Merge r239198 - Add a missing exception check.
https://bugs.webkit.org/show_bug.cgi?id=192626
<rdar://problem/46662163>
Reviewed by Keith Miller.
JSTests:
* stress/regress-192626.js: Added.
Source/_javascript_Core:
* runtime/ScopedArguments.h:
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (239306 => 239307)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-12-18 01:45:47 UTC (rev 239306)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-12-18 02:03:09 UTC (rev 239307)
@@ -1,3 +1,13 @@
+2018-12-13 Mark Lam <mark....@apple.com>
+
+ Add a missing exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=192626
+ <rdar://problem/46662163>
+
+ Reviewed by Keith Miller.
+
+ * stress/regress-192626.js: Added.
+
2018-12-10 Mark Lam <mark....@apple.com>
PropertyAttribute needs a CustomValue bit.
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-192626.js (0 => 239307)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-192626.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-192626.js 2018-12-18 02:03:09 UTC (rev 239307)
@@ -0,0 +1,23 @@
+var a = {};
+
+function foo() {
+ return Array.prototype.splice.apply([], a);
+}
+noInline(foo);
+
+function bar(b) {
+ with({});
+ a = arguments;
+ a.__defineGetter__("length", String.prototype.valueOf);
+ foo();
+}
+
+var exception;
+try {
+ bar();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "TypeError: Type error")
+ throw "FAIL";
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (239306 => 239307)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-18 01:45:47 UTC (rev 239306)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-18 02:03:09 UTC (rev 239307)
@@ -1,3 +1,13 @@
+2018-12-13 Mark Lam <mark....@apple.com>
+
+ Add a missing exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=192626
+ <rdar://problem/46662163>
+
+ Reviewed by Keith Miller.
+
+ * runtime/ScopedArguments.h:
+
2018-12-10 Mark Lam <mark....@apple.com>
PropertyAttribute needs a CustomValue bit.
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/ScopedArguments.h (239306 => 239307)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/ScopedArguments.h 2018-12-18 01:45:47 UTC (rev 239306)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/ScopedArguments.h 2018-12-18 02:03:09 UTC (rev 239307)
@@ -74,8 +74,13 @@
uint32_t length(ExecState* exec) const
{
VM& vm = exec->vm();
- if (UNLIKELY(storageHeader().overrodeThings))
- return get(exec, vm.propertyNames->length).toUInt32(exec);
+ auto scope = DECLARE_THROW_SCOPE(vm);
+ if (UNLIKELY(storageHeader().overrodeThings)) {
+ auto value = get(exec, vm.propertyNames->length);
+ RETURN_IF_EXCEPTION(scope, 0);
+ scope.release();
+ return value.toUInt32(exec);
+ }
return internalLength();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
