Title: [205234] branches/safari-602-branch
- Revision
- 205234
- Author
- [email protected]
- Date
- 2016-08-31 00:20:25 -0700 (Wed, 31 Aug 2016)
Log Message
Merge r204388. rdar://problem/27991576
Modified Paths
Diff
Modified: branches/safari-602-branch/JSTests/ChangeLog (205233 => 205234)
--- branches/safari-602-branch/JSTests/ChangeLog 2016-08-31 07:20:21 UTC (rev 205233)
+++ branches/safari-602-branch/JSTests/ChangeLog 2016-08-31 07:20:25 UTC (rev 205234)
@@ -1,5 +1,19 @@
2016-08-30 Babak Shafiei <[email protected]>
+ Merge r204388. rdar://problem/27991576
+
+ 2016-08-11 Mark Lam <[email protected]>
+
+ The jsc shell's Element host constructor should throw if it fails to construct an object.
+ https://bugs.webkit.org/show_bug.cgi?id=160773
+ <rdar://problem/27328608>
+
+ Reviewed by Saam Barati.
+
+ * stress/generational-opaque-roots.js:
+
+2016-08-30 Babak Shafiei <[email protected]>
+
Merge r204362. rdar://problem/27991421
2016-08-10 Michael Saboff <[email protected]>
Modified: branches/safari-602-branch/JSTests/stress/generational-opaque-roots.js (205233 => 205234)
--- branches/safari-602-branch/JSTests/stress/generational-opaque-roots.js 2016-08-31 07:20:21 UTC (rev 205233)
+++ branches/safari-602-branch/JSTests/stress/generational-opaque-roots.js 2016-08-31 07:20:25 UTC (rev 205234)
@@ -1,5 +1,11 @@
// Tests that opaque roots behave correctly during young generation collections
+try {
+ // regression test for bug 160773. This should not crash.
+ new (Element.bind());
+} catch(e) {
+}
+
// Create the primary Root.
var root = new Root();
// This secondary root is for allocating a second Element without overriding
Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (205233 => 205234)
--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog 2016-08-31 07:20:21 UTC (rev 205233)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog 2016-08-31 07:20:25 UTC (rev 205234)
@@ -1,5 +1,29 @@
2016-08-30 Babak Shafiei <[email protected]>
+ Merge r204388. rdar://problem/27991576
+
+ 2016-08-11 Mark Lam <[email protected]>
+
+ The jsc shell's Element host constructor should throw if it fails to construct an object.
+ https://bugs.webkit.org/show_bug.cgi?id=160773
+ <rdar://problem/27328608>
+
+ Reviewed by Saam Barati.
+
+ The Element object is a test object provided in the jsc shell for testing use only.
+ _javascript_Core expects host constructors to either throw an error or return a
+ constructed object. Element has a host constructor that did not obey this contract.
+ As a result, the following statement will fail a RELEASE_ASSERT:
+
+ new (Element.bind())
+
+ This is now fixed.
+
+ * jsc.cpp:
+ (functionCreateElement):
+
+2016-08-30 Babak Shafiei <[email protected]>
+
Merge r204362. rdar://problem/27991421
2016-08-10 Michael Saboff <[email protected]>
Modified: branches/safari-602-branch/Source/_javascript_Core/jsc.cpp (205233 => 205234)
--- branches/safari-602-branch/Source/_javascript_Core/jsc.cpp 2016-08-31 07:20:21 UTC (rev 205233)
+++ branches/safari-602-branch/Source/_javascript_Core/jsc.cpp 2016-08-31 07:20:25 UTC (rev 205234)
@@ -1238,7 +1238,7 @@
JSLockHolder lock(exec);
Root* root = jsDynamicCast<Root*>(exec->argument(0));
if (!root)
- return JSValue::encode(jsUndefined());
+ return JSValue::encode(exec->vm().throwException(exec, createError(exec, ASCIILiteral("Cannot create Element without a Root."))));
return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), root));
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
