Title: [211246] trunk
- Revision
- 211246
- Author
- mark....@apple.com
- Date
- 2017-01-26 17:38:05 -0800 (Thu, 26 Jan 2017)
Log Message
Fix missing exception check in genericTypedArrayViewProtoFuncSet().
https://bugs.webkit.org/show_bug.cgi?id=166812
<rdar://problem/29916672>
Reviewed by Saam Barati.
JSTests:
* stress/regress-166812.js: Added.
Source/_javascript_Core:
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSet):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (211245 => 211246)
--- trunk/JSTests/ChangeLog 2017-01-27 01:33:38 UTC (rev 211245)
+++ trunk/JSTests/ChangeLog 2017-01-27 01:38:05 UTC (rev 211246)
@@ -1,3 +1,13 @@
+2017-01-26 Mark Lam <mark....@apple.com>
+
+ Fix missing exception check in genericTypedArrayViewProtoFuncSet().
+ https://bugs.webkit.org/show_bug.cgi?id=166812
+ <rdar://problem/29916672>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-166812.js: Added.
+
2017-01-26 Commit Queue <commit-qu...@webkit.org>
Unreviewed, rolling out r211224.
Added: trunk/JSTests/stress/regress-166812.js (0 => 211246)
--- trunk/JSTests/stress/regress-166812.js (rev 0)
+++ trunk/JSTests/stress/regress-166812.js 2017-01-27 01:38:05 UTC (rev 211246)
@@ -0,0 +1,17 @@
+function shouldEqual(actual, expected) {
+ if (actual != expected) {
+ throw "ERROR: expect " + expected + ", actual " + actual;
+ }
+}
+
+(function() {
+ var exception;
+ var x = new Uint32Array(0x10);
+ try {
+ x.set(x.__proto__, 0);
+ } catch (e) {
+ exception = e;
+ }
+
+ shouldEqual(exception, "TypeError: Receiver should be a typed array view");
+})();
Modified: trunk/Source/_javascript_Core/ChangeLog (211245 => 211246)
--- trunk/Source/_javascript_Core/ChangeLog 2017-01-27 01:33:38 UTC (rev 211245)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-01-27 01:38:05 UTC (rev 211246)
@@ -1,3 +1,14 @@
+2017-01-26 Mark Lam <mark....@apple.com>
+
+ Fix missing exception check in genericTypedArrayViewProtoFuncSet().
+ https://bugs.webkit.org/show_bug.cgi?id=166812
+ <rdar://problem/29916672>
+
+ Reviewed by Saam Barati.
+
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::genericTypedArrayViewProtoFuncSet):
+
2017-01-26 Commit Queue <commit-qu...@webkit.org>
Unreviewed, rolling out r211224.
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (211245 => 211246)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2017-01-27 01:33:38 UTC (rev 211245)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2017-01-27 01:38:05 UTC (rev 211246)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -134,8 +134,11 @@
return throwVMTypeError(exec, scope, typedArrayBufferHasBeenDetachedErrorMessage);
length = jsCast<JSArrayBufferView*>(sourceArray)->length();
- } else
- length = sourceArray->get(exec, vm.propertyNames->length).toUInt32(exec);
+ } else {
+ JSValue lengthValue = sourceArray->get(exec, vm.propertyNames->length);
+ RETURN_IF_EXCEPTION(scope, encodedJSValue());
+ length = lengthValue.toUInt32(exec);
+ }
RETURN_IF_EXCEPTION(scope, encodedJSValue());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes