Title: [204388] trunk
- Revision
- 204388
- Author
- [email protected]
- Date
- 2016-08-11 14:21:55 -0700 (Thu, 11 Aug 2016)
Log Message
The jsc shell's Element host constructor should throw if it fails to construct an object.
https://bugs.webkit.org/show_bug.cgi?id=160773
<rdar://problem/27328608>
Reviewed by Saam Barati.
JSTests:
* stress/generational-opaque-roots.js:
Source/_javascript_Core:
The Element object is a test object provided in the jsc shell for testing use only.
_javascript_Core expects host constructors to either throw an error or return a
constructed object. Element has a host constructor that did not obey this contract.
As a result, the following statement will fail a RELEASE_ASSERT:
new (Element.bind())
This is now fixed.
* jsc.cpp:
(functionCreateElement):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (204387 => 204388)
--- trunk/JSTests/ChangeLog 2016-08-11 21:18:14 UTC (rev 204387)
+++ trunk/JSTests/ChangeLog 2016-08-11 21:21:55 UTC (rev 204388)
@@ -1,5 +1,15 @@
-2016-08-10 Mark Lam <[email protected]>
+2016-08-11 Mark Lam <[email protected]>
+ The jsc shell's Element host constructor should throw if it fails to construct an object.
+ https://bugs.webkit.org/show_bug.cgi?id=160773
+ <rdar://problem/27328608>
+
+ Reviewed by Saam Barati.
+
+ * stress/generational-opaque-roots.js:
+
+2016-08-11 Mark Lam <[email protected]>
+
Disallow synchronous sweeping for eden GCs.
https://bugs.webkit.org/show_bug.cgi?id=160716
Modified: trunk/JSTests/stress/generational-opaque-roots.js (204387 => 204388)
--- trunk/JSTests/stress/generational-opaque-roots.js 2016-08-11 21:18:14 UTC (rev 204387)
+++ trunk/JSTests/stress/generational-opaque-roots.js 2016-08-11 21:21:55 UTC (rev 204388)
@@ -1,5 +1,11 @@
// Tests that opaque roots behave correctly during young generation collections
+try {
+ // regression test for bug 160773. This should not crash.
+ new (Element.bind());
+} catch(e) {
+}
+
// Create the primary Root.
var root = new Root();
// This secondary root is for allocating a second Element without overriding
Modified: trunk/Source/_javascript_Core/ChangeLog (204387 => 204388)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-11 21:18:14 UTC (rev 204387)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-11 21:21:55 UTC (rev 204388)
@@ -1,5 +1,25 @@
-2016-08-10 Mark Lam <[email protected]>
+2016-08-11 Mark Lam <[email protected]>
+ The jsc shell's Element host constructor should throw if it fails to construct an object.
+ https://bugs.webkit.org/show_bug.cgi?id=160773
+ <rdar://problem/27328608>
+
+ Reviewed by Saam Barati.
+
+ The Element object is a test object provided in the jsc shell for testing use only.
+ _javascript_Core expects host constructors to either throw an error or return a
+ constructed object. Element has a host constructor that did not obey this contract.
+ As a result, the following statement will fail a RELEASE_ASSERT:
+
+ new (Element.bind())
+
+ This is now fixed.
+
+ * jsc.cpp:
+ (functionCreateElement):
+
+2016-08-11 Mark Lam <[email protected]>
+
Disallow synchronous sweeping for eden GCs.
https://bugs.webkit.org/show_bug.cgi?id=160716
Modified: trunk/Source/_javascript_Core/jsc.cpp (204387 => 204388)
--- trunk/Source/_javascript_Core/jsc.cpp 2016-08-11 21:18:14 UTC (rev 204387)
+++ trunk/Source/_javascript_Core/jsc.cpp 2016-08-11 21:21:55 UTC (rev 204388)
@@ -1231,7 +1231,7 @@
JSLockHolder lock(exec);
Root* root = jsDynamicCast<Root*>(exec->argument(0));
if (!root)
- return JSValue::encode(jsUndefined());
+ return JSValue::encode(exec->vm().throwException(exec, createError(exec, ASCIILiteral("Cannot create Element without a Root."))));
return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), root));
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
