Modified: trunk/LayoutTests/ChangeLog (139458 => 139459)
--- trunk/LayoutTests/ChangeLog 2013-01-11 18:37:25 UTC (rev 139458)
+++ trunk/LayoutTests/ChangeLog 2013-01-11 18:39:10 UTC (rev 139459)
@@ -1,3 +1,15 @@
+2013-01-11 Kenneth Russell <[email protected]>
+
+ [Chromium] WebGL typed array constructor crashes on exception
+ https://bugs.webkit.org/show_bug.cgi?id=106308
+
+ Reviewed by Kentaro Hara.
+
+ Updated typed array tests to latest version from Khronos repository.
+
+ * fast/canvas/webgl/array-unit-tests-expected.txt:
+ * fast/canvas/webgl/array-unit-tests.html:
+
2013-01-11 Florin Malita <[email protected]>
[SVG] Suppress resource rebuilding for unattached and shadow elements
Modified: trunk/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt (139458 => 139459)
--- trunk/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt 2013-01-11 18:37:25 UTC (rev 139458)
+++ trunk/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt 2013-01-11 18:39:10 UTC (rev 139459)
@@ -37,6 +37,7 @@
PASS Construction of Float32Array with null buffer threw exception
PASS Construction of Float32Array with (null buffer, 0) threw exception
PASS Construction of Float32Array with (null buffer, 0, 0) threw exception
+PASS Construction of Float32Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Float32Array with out-of-range number of elements threw an exception
PASS Construction of Float32Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -92,6 +93,7 @@
PASS Construction of Float64Array with null buffer threw exception
PASS Construction of Float64Array with (null buffer, 0) threw exception
PASS Construction of Float64Array with (null buffer, 0, 0) threw exception
+PASS Construction of Float64Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Float64Array with out-of-range number of elements threw an exception
PASS Construction of Float64Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -148,6 +150,7 @@
PASS Construction of Int8Array with null buffer threw exception
PASS Construction of Int8Array with (null buffer, 0) threw exception
PASS Construction of Int8Array with (null buffer, 0, 0) threw exception
+PASS Construction of Int8Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Int8Array with out-of-range number of elements threw an exception
PASS Construction of Int8Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -199,6 +202,7 @@
PASS Construction of Int16Array with null buffer threw exception
PASS Construction of Int16Array with (null buffer, 0) threw exception
PASS Construction of Int16Array with (null buffer, 0, 0) threw exception
+PASS Construction of Int16Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Int16Array with out-of-range number of elements threw an exception
PASS Construction of Int16Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -255,6 +259,7 @@
PASS Construction of Int32Array with null buffer threw exception
PASS Construction of Int32Array with (null buffer, 0) threw exception
PASS Construction of Int32Array with (null buffer, 0, 0) threw exception
+PASS Construction of Int32Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Int32Array with out-of-range number of elements threw an exception
PASS Construction of Int32Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -311,6 +316,7 @@
PASS Construction of Uint8Array with null buffer threw exception
PASS Construction of Uint8Array with (null buffer, 0) threw exception
PASS Construction of Uint8Array with (null buffer, 0, 0) threw exception
+PASS Construction of Uint8Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Uint8Array with out-of-range number of elements threw an exception
PASS Construction of Uint8Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -362,6 +368,7 @@
PASS Construction of Uint8ClampedArray with null buffer threw exception
PASS Construction of Uint8ClampedArray with (null buffer, 0) threw exception
PASS Construction of Uint8ClampedArray with (null buffer, 0, 0) threw exception
+PASS Construction of Uint8ClampedArray with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Uint8ClampedArray with out-of-range number of elements threw an exception
PASS Construction of Uint8ClampedArray with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -413,6 +420,7 @@
PASS Construction of Uint16Array with null buffer threw exception
PASS Construction of Uint16Array with (null buffer, 0) threw exception
PASS Construction of Uint16Array with (null buffer, 0, 0) threw exception
+PASS Construction of Uint16Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Uint16Array with out-of-range number of elements threw an exception
PASS Construction of Uint16Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
@@ -469,6 +477,7 @@
PASS Construction of Uint32Array with null buffer threw exception
PASS Construction of Uint32Array with (null buffer, 0) threw exception
PASS Construction of Uint32Array with (null buffer, 0, 0) threw exception
+PASS Construction of Uint32Array with exception-throwing array-like object didn't crash unexpectedly
PASS Construction of Uint32Array with out-of-range number of elements threw an exception
PASS Construction of Uint32Array with out-of-range offset threw an exception
PASS Construction of ArrayBuffer with negative size threw exception
Modified: trunk/LayoutTests/fast/canvas/webgl/array-unit-tests.html (139458 => 139459)
--- trunk/LayoutTests/fast/canvas/webgl/array-unit-tests.html 2013-01-11 18:37:25 UTC (rev 139458)
+++ trunk/LayoutTests/fast/canvas/webgl/array-unit-tests.html 2013-01-11 18:39:10 UTC (rev 139459)
@@ -544,6 +544,16 @@
}
}
+function testConstructionWithExceptionThrowingObject(type, name) {
+ var o = {};
+ Object.defineProperty(o, "length", { get: function() { throw "bail;" }});
+ try {
+ var array = new type(o);
+ } catch (e) {
+ }
+ testPassed("Construction of " + name + " with exception-throwing array-like object didn't crash unexpectedly");
+}
+
function shouldThrowIndexSizeErr(func, text) {
var errorText = text + " should throw an exception";
try {
@@ -1063,6 +1073,7 @@
testCase.testValues,
testCase.expectedValues);
testConstructionWithNullBuffer(type, name);
+ testConstructionWithExceptionThrowingObject(type, name);
testConstructionWithOutOfRangeValues(type, name);
testConstructionWithNegativeOutOfRangeValues(type, name);
testConstructionWithUnalignedOffset(type, name, testCase.elementSizeInBytes);
Modified: trunk/Source/WebCore/ChangeLog (139458 => 139459)
--- trunk/Source/WebCore/ChangeLog 2013-01-11 18:37:25 UTC (rev 139458)
+++ trunk/Source/WebCore/ChangeLog 2013-01-11 18:39:10 UTC (rev 139459)
@@ -1,3 +1,20 @@
+2013-01-11 Kenneth Russell <[email protected]>
+
+ [Chromium] WebGL typed array constructor crashes on exception
+ https://bugs.webkit.org/show_bug.cgi?id=106308
+
+ Reviewed by Kentaro Hara.
+
+ Check for empty handles (indicating exception thrown) after calls
+ into V8 VM.
+
+ Added new case from Khronos typed array conformance tests to
+ fast/canvas/webgl/array-unit-tests.html.
+
+ * bindings/v8/custom/V8ArrayBufferViewCustom.h:
+ (WebCore::constructWebGLArray):
+ Check for empty handles after calls into V8 VM.
+
2013-01-11 Kentaro Hara <[email protected]>
[V8] Slightly optimize getWrapperFast()
Modified: trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h (139458 => 139459)
--- trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h 2013-01-11 18:37:25 UTC (rev 139458)
+++ trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h 2013-01-11 18:39:10 UTC (rev 139459)
@@ -171,7 +171,12 @@
srcArray = args[0]->ToObject();
if (srcArray.IsEmpty())
return throwTypeError("Could not convert argument 0 to an array", args.GetIsolate());
- len = toUInt32(srcArray->Get(v8::String::NewSymbol("length")));
+ v8::Local<v8::Value> val = srcArray->Get(v8::String::NewSymbol("length"));
+ if (val.IsEmpty()) {
+ // Exception thrown during fetch of length property.
+ return v8Undefined();
+ }
+ len = toUInt32(val);
doInstantiation = true;
} else {
bool ok = false;
@@ -208,8 +213,14 @@
if (!srcArray.IsEmpty()) {
bool copied = copyElements(args.Holder(), srcArray, len, 0, args.GetIsolate());
if (!copied) {
- for (unsigned i = 0; i < len; i++)
- array->set(i, srcArray->Get(i)->NumberValue());
+ for (unsigned i = 0; i < len; i++) {
+ v8::Local<v8::Value> val = srcArray->Get(i);
+ if (val.IsEmpty()) {
+ // Exception thrown during fetch.
+ return v8Undefined();
+ }
+ array->set(i, val->NumberValue());
+ }
}
}
