Skip to site navigation (Press enter)

[webkit-changes] [214993] releases/WebKitGTK/webkit-2.14

carlosgc Wed, 05 Apr 2017 23:35:55 -0700

Title: [214993] releases/WebKitGTK/webkit-2.14

Revision: 214993
Author: [email protected]
Date: 2017-04-05 23:35:19 -0700 (Wed, 05 Apr 2017)

Log Message

Merge r208741 - The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
https://bugs.webkit.org/show_bug.cgi?id=164781
<rdar://problem/28418590>


Reviewed by Geoffrey Garen and Michael Saboff.

JSTests:

* stress/jsc-setImpureGetterDelegate-on-bad-type.js: Added.

Source/_javascript_Core:

* jsc.cpp:
(functionSetImpureGetterDelegate):

Modified Paths

releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/jsc.cpp

Added Paths

releases/WebKitGTK/webkit-2.14/JSTests/stress/jsc-setImpureGetterDelegate-on-bad-type.js

Diff

Modified: releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog (214992 => 214993)


--- releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog	2017-04-06 06:31:21 UTC (rev 214992)
+++ releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog	2017-04-06 06:35:19 UTC (rev 214993)
@@ -1,3 +1,13 @@
+2016-11-15  Mark Lam  <[email protected]>
+
+        The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
+        https://bugs.webkit.org/show_bug.cgi?id=164781
+        <rdar://problem/28418590>
+
+        Reviewed by Geoffrey Garen and Michael Saboff.
+
+        * stress/jsc-setImpureGetterDelegate-on-bad-type.js: Added.
+
 2016-12-06  Mark Lam  <[email protected]>
 
         Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec.

Added: releases/WebKitGTK/webkit-2.14/JSTests/stress/jsc-setImpureGetterDelegate-on-bad-type.js (0 => 214993)


--- releases/WebKitGTK/webkit-2.14/JSTests/stress/jsc-setImpureGetterDelegate-on-bad-type.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/stress/jsc-setImpureGetterDelegate-on-bad-type.js	2017-04-06 06:35:19 UTC (rev 214993)
@@ -0,0 +1,21 @@
+//@ runFTLNoCJIT
+// This test passes if it does not crash or trigger any assertion failures.
+
+function shouldEqual(actual, expected) {
+    if (actual != expected) {
+        throw "ERROR: expect " + expected + ", actual " + actual;
+    }
+}
+
+var arrayBuffer = new ArrayBuffer(0x20);
+var dataView_A = new DataView(arrayBuffer);
+var dataView_B = new DataView(arrayBuffer);
+
+var exception;
+try {
+    setImpureGetterDelegate(dataView_A, dataView_B);
+} catch (e) {
+    exception = e;
+}
+
+shouldEqual(exception, "TypeError: argument is not an ImpureGetter");

Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog (214992 => 214993)


--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog	2017-04-06 06:31:21 UTC (rev 214992)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog	2017-04-06 06:35:19 UTC (rev 214993)
@@ -1,3 +1,14 @@
+2016-11-15  Mark Lam  <[email protected]>
+
+        The jsc shell's setImpureGetterDelegate() should ensure that the set value is an ImpureGetter.
+        https://bugs.webkit.org/show_bug.cgi?id=164781
+        <rdar://problem/28418590>
+
+        Reviewed by Geoffrey Garen and Michael Saboff.
+
+        * jsc.cpp:
+        (functionSetImpureGetterDelegate):
+
 2016-10-31  Joseph Pecoraro  <[email protected]>
 
         Web Inspector: Provide an opportunity to clear ScriptValues associated with debugged target

Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/jsc.cpp (214992 => 214993)


--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/jsc.cpp	2017-04-06 06:31:21 UTC (rev 214992)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/jsc.cpp	2017-04-06 06:35:19 UTC (rev 214993)
@@ -1340,7 +1340,10 @@
 
 EncodedJSValue JSC_HOST_CALL functionSetImpureGetterDelegate(ExecState* exec)
 {
-    JSLockHolder lock(exec);
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSValue base = exec->argument(0);
     if (!base.isObject())
         return JSValue::encode(jsUndefined());
@@ -1347,8 +1350,12 @@
     JSValue delegate = exec->argument(1);
     if (!delegate.isObject())
         return JSValue::encode(jsUndefined());
-    ImpureGetter* impureGetter = jsCast<ImpureGetter*>(asObject(base.asCell()));
-    impureGetter->setDelegate(exec->vm(), asObject(delegate.asCell()));
+    ImpureGetter* impureGetter = jsDynamicCast<ImpureGetter*>(asObject(base.asCell()));
+    if (UNLIKELY(!impureGetter)) {
+        throwTypeError(exec, scope, ASCIILiteral("argument is not an ImpureGetter"));
+        return encodedJSValue();
+    }
+    impureGetter->setDelegate(vm, asObject(delegate.asCell()));
     return JSValue::encode(jsUndefined());
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes