Skip to site navigation (Press enter)

[webkit-changes] [213837] releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore

carlosgc Mon, 13 Mar 2017 05:46:04 -0700

Title: [213837] releases/WebKitGTK/webkit-2.16/Source/_javascript_Core

Revision: 213837
Author: [email protected]
Date: 2017-03-13 05:45:37 -0700 (Mon, 13 Mar 2017)

Log Message

Merge r213648 - WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed
https://bugs.webkit.org/show_bug.cgi?id=169215


Reviewed by Mark Lam.

This doesn't have a test because it would be a very complicated test.

* runtime/JSObject.h:
(JSC::JSObject::ensureLength): If ensureLengthSlow returns false, we need to return false.

Modified Paths

releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.h

Diff

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (213836 => 213837)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-03-13 12:26:01 UTC (rev 213836)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-03-13 12:45:37 UTC (rev 213837)
@@ -1,3 +1,15 @@
+2017-03-09  Filip Pizlo  <[email protected]>
+
+        WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed
+        https://bugs.webkit.org/show_bug.cgi?id=169215
+
+        Reviewed by Mark Lam.
+        
+        This doesn't have a test because it would be a very complicated test.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::ensureLength): If ensureLengthSlow returns false, we need to return false.
+
 2017-03-06  Yusuke Suzuki  <[email protected]>
 
         Null pointer crash when loading module with unresolved import also as a script file

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.h (213836 => 213837)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.h	2017-03-13 12:26:01 UTC (rev 213836)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.h	2017-03-13 12:45:37 UTC (rev 213837)
@@ -960,13 +960,14 @@
         ASSERT(length < MAX_ARRAY_INDEX);
         ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
 
-        bool result = true;
-        if (m_butterfly.get()->vectorLength() < length)
-            result = ensureLengthSlow(vm, length);
+        if (m_butterfly.get()->vectorLength() < length) {
+            if (!ensureLengthSlow(vm, length))
+                return false;
+        }
             
         if (m_butterfly.get()->publicLength() < length)
             m_butterfly.get()->setPublicLength(length);
-        return result;
+        return true;
     }
         
     // Call this if you want to shrink the butterfly backing store, and you're

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes