Title: [249225] trunk
- Revision
- 249225
- Author
- mark....@apple.com
- Date
- 2019-08-28 16:11:17 -0700 (Wed, 28 Aug 2019)
Log Message
Placate exception check validation in DFG's operationHasGenericProperty().
https://bugs.webkit.org/show_bug.cgi?id=201245
<rdar://problem/54777512>
Reviewed by Robin Morisset.
JSTests:
* stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
Source/_javascript_Core:
* dfg/DFGOperations.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (249224 => 249225)
--- trunk/JSTests/ChangeLog 2019-08-28 23:07:40 UTC (rev 249224)
+++ trunk/JSTests/ChangeLog 2019-08-28 23:11:17 UTC (rev 249225)
@@ -1,3 +1,13 @@
+2019-08-28 Mark Lam <mark....@apple.com>
+
+ Placate exception check validation in DFG's operationHasGenericProperty().
+ https://bugs.webkit.org/show_bug.cgi?id=201245
+ <rdar://problem/54777512>
+
+ Reviewed by Robin Morisset.
+
+ * stress/missing-exception-check-in-operationHasGenericProperty.js: Added.
+
2019-08-27 Mark Lam <mark....@apple.com>
constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
Added: trunk/JSTests/stress/missing-exception-check-in-operationHasGenericProperty.js (0 => 249225)
--- trunk/JSTests/stress/missing-exception-check-in-operationHasGenericProperty.js (rev 0)
+++ trunk/JSTests/stress/missing-exception-check-in-operationHasGenericProperty.js 2019-08-28 23:11:17 UTC (rev 249225)
@@ -0,0 +1,10 @@
+const x = 0;
+
+function foo() {
+ for (const q in 0) { }
+}
+
+for (let i = 0; i < 5; i++) {
+ foo();
+ Number.prototype.valueOf = 0;
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (249224 => 249225)
--- trunk/Source/_javascript_Core/ChangeLog 2019-08-28 23:07:40 UTC (rev 249224)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-08-28 23:11:17 UTC (rev 249225)
@@ -1,3 +1,13 @@
+2019-08-28 Mark Lam <mark....@apple.com>
+
+ Placate exception check validation in DFG's operationHasGenericProperty().
+ https://bugs.webkit.org/show_bug.cgi?id=201245
+ <rdar://problem/54777512>
+
+ Reviewed by Robin Morisset.
+
+ * dfg/DFGOperations.cpp:
+
2019-08-28 Ross Kirsling <ross.kirsl...@sony.com>
Unreviewed. Restabilize non-unified build.
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (249224 => 249225)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-08-28 23:07:40 UTC (rev 249224)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-08-28 23:11:17 UTC (rev 249225)
@@ -2135,6 +2135,7 @@
return JSValue::encode(jsBoolean(false));
JSObject* base = baseValue.toObject(exec);
+ ASSERT(!scope.exception() || !base);
if (!base)
return JSValue::encode(JSValue());
auto propertyName = asString(property)->toIdentifier(exec);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
