Diff
Modified: trunk/LayoutTests/ChangeLog (110351 => 110352)
--- trunk/LayoutTests/ChangeLog 2012-03-10 01:03:10 UTC (rev 110351)
+++ trunk/LayoutTests/ChangeLog 2012-03-10 01:20:01 UTC (rev 110352)
@@ -1,3 +1,16 @@
+2012-03-09 Gavin Barraclough <[email protected]>
+
+ Array.prototype.toLocaleString visits elements in wrong order under certain conditions
+ https://bugs.webkit.org/show_bug.cgi?id=80663
+
+ Reviewed by Michael Saboff.
+
+ The bug here is actually that we're continuing to process the array after an exception
+ has been thrown, and that the second value throw is overriding the first.
+
+ * fast/js/array-prototype-properties-expected.txt:
+ * fast/js/script-tests/array-prototype-properties.js:
+
2012-03-09 Ojan Vafai <[email protected]>
So many Chromium-Lion rebaselines. :(
Modified: trunk/LayoutTests/fast/js/array-prototype-properties-expected.txt (110351 => 110352)
--- trunk/LayoutTests/fast/js/array-prototype-properties-expected.txt 2012-03-10 01:03:10 UTC (rev 110351)
+++ trunk/LayoutTests/fast/js/array-prototype-properties-expected.txt 2012-03-10 01:20:01 UTC (rev 110352)
@@ -24,6 +24,7 @@
PASS Array.prototype.reduce.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.reduce.call(undefined, toString)').
PASS Array.prototype.reduceRight.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.reduceRight.call(undefined, toString)').
PASS Array.prototype.map.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.map.call(undefined, toString)').
+PASS [{toLocaleString:function(){throw 1}},{toLocaleString:function(){throw 2}}].toLocaleString() threw exception 1.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/fast/js/script-tests/array-prototype-properties.js (110351 => 110352)
--- trunk/LayoutTests/fast/js/script-tests/array-prototype-properties.js 2012-03-10 01:03:10 UTC (rev 110351)
+++ trunk/LayoutTests/fast/js/script-tests/array-prototype-properties.js 2012-03-10 01:20:01 UTC (rev 110352)
@@ -2,7 +2,7 @@
'This is a test case for <a https://bugs.webkit.org/show_bug.cgi?id=64679">bug 64679</a>.'
);
-// These calls pass undefined as this value, and as such should show in toObject.
+// These calls pass undefined as this value, and as such should throw in toObject.
shouldThrow("Array.prototype.toString.call(undefined)");
shouldThrow("Array.prototype.toLocaleString.call(undefined)");
shouldThrow("Array.prototype.concat.call(undefined, [])");
@@ -24,3 +24,6 @@
shouldThrow("Array.prototype.reduce.call(undefined, toString)");
shouldThrow("Array.prototype.reduceRight.call(undefined, toString)");
shouldThrow("Array.prototype.map.call(undefined, toString)");
+
+// Test exception ordering in Array.prototype.toLocaleString ( https://bugs.webkit.org/show_bug.cgi?id=80663 )
+shouldThrow("[{toLocaleString:function(){throw 1}},{toLocaleString:function(){throw 2}}].toLocaleString()", '1');
Modified: trunk/Source/_javascript_Core/ChangeLog (110351 => 110352)
--- trunk/Source/_javascript_Core/ChangeLog 2012-03-10 01:03:10 UTC (rev 110351)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-03-10 01:20:01 UTC (rev 110352)
@@ -1,3 +1,16 @@
+2012-03-09 Gavin Barraclough <[email protected]>
+
+ Array.prototype.toLocaleString visits elements in wrong order under certain conditions
+ https://bugs.webkit.org/show_bug.cgi?id=80663
+
+ Reviewed by Michael Saboff.
+
+ The bug here is actually that we're continuing to process the array after an exception
+ has been thrown, and that the second value throw is overriding the first.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncToLocaleString):
+
2012-03-09 Ryosuke Niwa <[email protected]>
WebKit compiled by gcc (Xcode 3.2.6) hangs while running DOM/Accessors.html
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (110351 => 110352)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2012-03-10 01:03:10 UTC (rev 110351)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2012-03-10 01:20:01 UTC (rev 110352)
@@ -349,9 +349,13 @@
strBuffer.append(',');
JSValue element = thisObj->get(exec, k);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
if (!element.isUndefinedOrNull()) {
JSObject* o = element.toObject(exec);
JSValue conversionFunction = o->get(exec, exec->propertyNames().toLocaleString);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
UString str;
CallData callData;
CallType callType = getCallData(conversionFunction, callData);
@@ -359,6 +363,8 @@
str = call(exec, conversionFunction, callType, callData, element, exec->emptyList()).toString(exec)->value(exec);
else
str = element.toString(exec)->value(exec);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
strBuffer.append(str);
}
}
