Modified: trunk/JSTests/ChangeLog (207905 => 207906)
--- trunk/JSTests/ChangeLog 2016-10-26 19:07:59 UTC (rev 207905)
+++ trunk/JSTests/ChangeLog 2016-10-26 19:23:55 UTC (rev 207906)
@@ -1,3 +1,13 @@
+2016-10-26 Mark Lam <[email protected]>
+
+ JSGenericTypedArrayView::set() should check for exceptions.
+ https://bugs.webkit.org/show_bug.cgi?id=164007
+ <rdar://problem/28853775>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/typed-array-view-set-should-not-crash-on-exception.js: Added.
+
2016-10-25 Mark Lam <[email protected]>
String.prototype.replace() should throw an OutOfMemoryError when using too much memory.
Added: trunk/JSTests/stress/typed-array-view-set-should-not-crash-on-exception.js (0 => 207906)
--- trunk/JSTests/stress/typed-array-view-set-should-not-crash-on-exception.js (rev 0)
+++ trunk/JSTests/stress/typed-array-view-set-should-not-crash-on-exception.js 2016-10-26 19:23:55 UTC (rev 207906)
@@ -0,0 +1,27 @@
+//@ runFTLNoCJIT
+// This test passes if it does not crash.
+
+function shouldEqual(testId, actual, expected) {
+ if (actual != expected) {
+ throw testId + ": ERROR: expect " + expected + ", actual " + actual;
+ }
+}
+
+arr = new Array;
+
+Object.defineProperty(arr, 1, {
+ configurable: true, enumerable: true,
+ get: Date.prototype.getSeconds,
+});
+
+typedArray = new Float64Array(16);
+typedArray[0] = 0;
+
+var exception = undefined;
+try {
+ typedArray.set(arr, 0);
+} catch (e) {
+ exception = e;
+}
+
+shouldEqual(10000, exception, "TypeError: Type error");
Modified: trunk/Source/_javascript_Core/ChangeLog (207905 => 207906)
--- trunk/Source/_javascript_Core/ChangeLog 2016-10-26 19:07:59 UTC (rev 207905)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-10-26 19:23:55 UTC (rev 207906)
@@ -1,3 +1,14 @@
+2016-10-26 Mark Lam <[email protected]>
+
+ JSGenericTypedArrayView::set() should check for exceptions.
+ https://bugs.webkit.org/show_bug.cgi?id=164007
+ <rdar://problem/28853775>
+
+ Reviewed by Filip Pizlo.
+
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::set):
+
2016-10-25 Yusuke Suzuki <[email protected]>
[DOMJIT] Tell IDL result type to DFG to drop type checks in AI
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (207905 => 207906)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2016-10-26 19:07:59 UTC (rev 207905)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2016-10-26 19:23:55 UTC (rev 207906)
@@ -242,6 +242,9 @@
bool JSGenericTypedArrayView<Adaptor>::set(
ExecState* exec, unsigned offset, JSObject* object, unsigned objectOffset, unsigned length, CopyType type)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
const ClassInfo* ci = object->classInfo();
if (ci->typedArrayStorageType == Adaptor::typeValue) {
// The super fast case: we can just memcpy since we're the same type.
@@ -249,7 +252,9 @@
length = std::min(length, other->length());
RELEASE_ASSERT(other->canAccessRangeQuickly(objectOffset, length));
- if (!validateRange(exec, offset, length))
+ bool success = validateRange(exec, offset, length);
+ ASSERT(!scope.exception() == success);
+ if (!success)
return false;
memmove(typedVector() + offset, other->typedVector() + objectOffset, length * elementSize);
@@ -286,13 +291,18 @@
exec, offset, jsCast<JSFloat64Array*>(object), objectOffset, length, type);
case NotTypedArray:
case TypeDataView: {
- if (!validateRange(exec, offset, length))
+ bool success = validateRange(exec, offset, length);
+ ASSERT(!scope.exception() == success);
+ if (!success)
return false;
// We could optimize this case. But right now, we don't.
for (unsigned i = 0; i < length; ++i) {
JSValue value = object->get(exec, i + objectOffset);
- if (!setIndex(exec, offset + i, value))
+ RETURN_IF_EXCEPTION(scope, false);
+ bool success = setIndex(exec, offset + i, value);
+ ASSERT(!scope.exception() || !success);
+ if (!success)
return false;
}
return true;
