Title: [208936] trunk/Source/_javascript_Core
- Revision
- 208936
- Author
- [email protected]
- Date
- 2016-11-20 17:33:09 -0800 (Sun, 20 Nov 2016)
Log Message
Fix exception scope verification failures in CommonSlowPaths.cpp/h.
https://bugs.webkit.org/show_bug.cgi?id=164975
Reviewed by Darin Adler.
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (208935 => 208936)
--- trunk/Source/_javascript_Core/ChangeLog 2016-11-21 01:31:20 UTC (rev 208935)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-11-21 01:33:09 UTC (rev 208936)
@@ -1,5 +1,17 @@
2016-11-20 Mark Lam <[email protected]>
+ Fix exception scope verification failures in CommonSlowPaths.cpp/h.
+ https://bugs.webkit.org/show_bug.cgi?id=164975
+
+ Reviewed by Darin Adler.
+
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::opIn):
+
+2016-11-20 Mark Lam <[email protected]>
+
Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164995
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (208935 => 208936)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2016-11-21 01:31:20 UTC (rev 208935)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2016-11-21 01:33:09 UTC (rev 208936)
@@ -181,6 +181,7 @@
exec = exec->callerFrame();
vm.topCallFrame = exec;
ErrorHandlingScope errorScope(vm);
+ throwScope.release();
CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));
RETURN_TWO(bitwise_cast<void*>(static_cast<uintptr_t>(1)), exec);
}
@@ -443,9 +444,11 @@
ArithProfile& arithProfile = *exec->codeBlock()->arithProfileForPC(pc);
arithProfile.observeLHSAndRHS(v1, v2);
- if (v1.isString() && !v2.isObject())
- result = jsString(exec, asString(v1), v2.toString(exec));
- else if (v1.isNumber() && v2.isNumber())
+ if (v1.isString() && !v2.isObject()) {
+ JSString* v2String = v2.toString(exec);
+ if (LIKELY(!throwScope.exception()))
+ result = jsString(exec, asString(v1), v2String);
+ } else if (v1.isNumber() && v2.isNumber())
result = jsNumber(v1.asNumber() + v2.asNumber());
else
result = jsAddSlowCase(exec, v1, v2);
@@ -824,7 +827,9 @@
if (resolveType == UnresolvedProperty || resolveType == UnresolvedPropertyWithVarInjectionChecks) {
if (resolvedScope->isGlobalObject()) {
JSGlobalObject* globalObject = jsCast<JSGlobalObject*>(resolvedScope);
- if (globalObject->hasProperty(exec, ident)) {
+ bool hasProperty = globalObject->hasProperty(exec, ident);
+ CHECK_EXCEPTION();
+ if (hasProperty) {
ConcurrentJSLocker locker(exec->codeBlock()->m_lock);
if (resolveType == UnresolvedProperty)
pc[4].u.operand = GlobalProperty;
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h (208935 => 208936)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h 2016-11-21 01:31:20 UTC (rev 208935)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h 2016-11-21 01:33:09 UTC (rev 208936)
@@ -83,11 +83,14 @@
JSObject* baseObj = asObject(baseVal);
uint32_t i;
- if (propName.getUInt32(i))
+ if (propName.getUInt32(i)) {
+ scope.release();
return baseObj->hasProperty(exec, i);
+ }
auto property = propName.toPropertyKey(exec);
RETURN_IF_EXCEPTION(scope, false);
+ scope.release();
return baseObj->hasProperty(exec, property);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
