Title: [235554] trunk
- Revision
- 235554
- Author
- [email protected]
- Date
- 2018-08-31 09:05:22 -0700 (Fri, 31 Aug 2018)
Log Message
Fix exception check accounting in JSDataView::defineOwnProperty().
https://bugs.webkit.org/show_bug.cgi?id=189186
<rdar://problem/39786049>
Reviewed by Michael Saboff.
JSTests:
* stress/regress-189186.js: Added.
Source/_javascript_Core:
* runtime/JSDataView.cpp:
(JSC::JSDataView::defineOwnProperty):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (235553 => 235554)
--- trunk/JSTests/ChangeLog 2018-08-31 15:52:45 UTC (rev 235553)
+++ trunk/JSTests/ChangeLog 2018-08-31 16:05:22 UTC (rev 235554)
@@ -1,5 +1,15 @@
2018-08-31 Mark Lam <[email protected]>
+ Fix exception check accounting in JSDataView::defineOwnProperty().
+ https://bugs.webkit.org/show_bug.cgi?id=189186
+ <rdar://problem/39786049>
+
+ Reviewed by Michael Saboff.
+
+ * stress/regress-189186.js: Added.
+
+2018-08-31 Mark Lam <[email protected]>
+
Add missing exception check in arrayProtoFuncLastIndexOf().
https://bugs.webkit.org/show_bug.cgi?id=189184
<rdar://problem/39785959>
Added: trunk/JSTests/stress/regress-189186.js (0 => 235554)
--- trunk/JSTests/stress/regress-189186.js (rev 0)
+++ trunk/JSTests/stress/regress-189186.js 2018-08-31 16:05:22 UTC (rev 235554)
@@ -0,0 +1,4 @@
+//@ runDefault
+// This test passes if it does not crash.
+let x = new DataView(new ArrayBuffer(1));
+Object.defineProperty(x, 'foo', {});
Modified: trunk/Source/_javascript_Core/ChangeLog (235553 => 235554)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-31 15:52:45 UTC (rev 235553)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-31 16:05:22 UTC (rev 235554)
@@ -1,5 +1,16 @@
2018-08-31 Mark Lam <[email protected]>
+ Fix exception check accounting in JSDataView::defineOwnProperty().
+ https://bugs.webkit.org/show_bug.cgi?id=189186
+ <rdar://problem/39786049>
+
+ Reviewed by Michael Saboff.
+
+ * runtime/JSDataView.cpp:
+ (JSC::JSDataView::defineOwnProperty):
+
+2018-08-31 Mark Lam <[email protected]>
+
Add missing exception check in arrayProtoFuncLastIndexOf().
https://bugs.webkit.org/show_bug.cgi?id=189184
<rdar://problem/39785959>
Modified: trunk/Source/_javascript_Core/runtime/JSDataView.cpp (235553 => 235554)
--- trunk/Source/_javascript_Core/runtime/JSDataView.cpp 2018-08-31 15:52:45 UTC (rev 235553)
+++ trunk/Source/_javascript_Core/runtime/JSDataView.cpp 2018-08-31 16:05:22 UTC (rev 235554)
@@ -151,6 +151,7 @@
|| propertyName == vm.propertyNames->byteOffset)
return typeError(exec, scope, shouldThrow, "Attempting to define read-only typed array property."_s);
+ scope.release();
return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
