Reviewers: Toon Verwaest,
Description:
Fix missing exception check in typed array constructor (2).
This fixes another crash when the the typed array constructor accesses
an array that has a throwing accessor defined on one of it's elements.
[email protected]
BUG=chromium:168545
TEST=mjsunit/regress/regress-crbug-168545.js
Please review this at https://codereview.chromium.org/11791052/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/d8.cc
M test/mjsunit/regress/regress-crbug-168545.js
Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index
83e2fc50d5d43db6290b9e7808313d6806ebe97a..8ca475a5c8ab649ec6a15e517ca14a823dcaabbd
100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -561,7 +561,11 @@ Handle<Value> Shell::CreateExternalArray(const
Arguments& args,
if (init_from_array) {
Handle<Object> init = args[0]->ToObject();
- for (int i = 0; i < length; ++i) array->Set(i, init->Get(i));
+ for (int i = 0; i < length; ++i) {
+ Local<Value> value = init->Get(i);
+ if (try_catch.HasCaught()) return try_catch.ReThrow();
+ array->Set(i, value);
+ }
}
return array;
Index: test/mjsunit/regress/regress-crbug-168545.js
diff --git a/test/mjsunit/regress/regress-crbug-168545.js
b/test/mjsunit/regress/regress-crbug-168545.js
index
1bc52fe9b0975b4f654c797da307c8f8ae40fef4..acc065e41101325dd9b105f73e50748b1c9cff13
100644
--- a/test/mjsunit/regress/regress-crbug-168545.js
+++ b/test/mjsunit/regress/regress-crbug-168545.js
@@ -28,3 +28,7 @@
var o = {};
Object.defineProperty(o, "length", { get: function() { throw "bail"; }});
assertThrows("new Int16Array(o);");
+
+var a = [];
+Object.defineProperty(a, "0", { get: function() { throw "bail"; }});
+assertThrows("new Int16Array(a);");
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
