Title: [243079] trunk
- Revision
- 243079
- Author
- [email protected]
- Date
- 2019-03-18 10:36:48 -0700 (Mon, 18 Mar 2019)
Log Message
Missing a ThrowScope release in JSObject::toString().
https://bugs.webkit.org/show_bug.cgi?id=195893
<rdar://problem/48970986>
Reviewed by Michael Saboff.
JSTests:
* stress/to-string-exception-check-release.js: Added.
Source/_javascript_Core:
Placate the validator with a RELEASE_AND_RETURN().
* runtime/JSObject.cpp:
(JSC::JSObject::toString const):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (243078 => 243079)
--- trunk/JSTests/ChangeLog 2019-03-18 17:13:17 UTC (rev 243078)
+++ trunk/JSTests/ChangeLog 2019-03-18 17:36:48 UTC (rev 243079)
@@ -1,5 +1,15 @@
2019-03-18 Mark Lam <[email protected]>
+ Missing a ThrowScope release in JSObject::toString().
+ https://bugs.webkit.org/show_bug.cgi?id=195893
+ <rdar://problem/48970986>
+
+ Reviewed by Michael Saboff.
+
+ * stress/to-string-exception-check-release.js: Added.
+
+2019-03-18 Mark Lam <[email protected]>
+
Structure::flattenDictionary() should clear unused property slots.
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>
Added: trunk/JSTests/stress/to-string-exception-check-release.js (0 => 243079)
--- trunk/JSTests/stress/to-string-exception-check-release.js (rev 0)
+++ trunk/JSTests/stress/to-string-exception-check-release.js 2019-03-18 17:36:48 UTC (rev 243079)
@@ -0,0 +1,5 @@
+// This test should not fail exception check validation.
+
+let s = new String();
+s.toString = ()=>{}
+JSON.stringify(s);
Modified: trunk/Source/_javascript_Core/ChangeLog (243078 => 243079)
--- trunk/Source/_javascript_Core/ChangeLog 2019-03-18 17:13:17 UTC (rev 243078)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-03-18 17:36:48 UTC (rev 243079)
@@ -1,5 +1,18 @@
2019-03-18 Mark Lam <[email protected]>
+ Missing a ThrowScope release in JSObject::toString().
+ https://bugs.webkit.org/show_bug.cgi?id=195893
+ <rdar://problem/48970986>
+
+ Reviewed by Michael Saboff.
+
+ Placate the validator with a RELEASE_AND_RETURN().
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::toString const):
+
+2019-03-18 Mark Lam <[email protected]>
+
Structure::flattenDictionary() should clear unused property slots.
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (243078 => 243079)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2019-03-18 17:13:17 UTC (rev 243078)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2019-03-18 17:36:48 UTC (rev 243079)
@@ -2435,7 +2435,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
JSValue primitive = toPrimitive(exec, PreferString);
RETURN_IF_EXCEPTION(scope, jsEmptyString(exec));
- return primitive.toString(exec);
+ RELEASE_AND_RETURN(scope, primitive.toString(exec));
}
JSValue JSObject::toThis(JSCell* cell, ExecState*, ECMAMode)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
