Skip to site navigation (Press enter)

[webkit-changes] [139640] branches/chromium/1364

kbr Mon, 14 Jan 2013 12:21:24 -0800

Title: [139640] branches/chromium/1364

Revision: 139640
Author: [email protected]
Date: 2013-01-14 12:23:02 -0800 (Mon, 14 Jan 2013)

Log Message

Merge 139459
> [Chromium] WebGL typed array constructor crashes on exception
> https://bugs.webkit.org/show_bug.cgi?id=106308
> 
> Reviewed by Kentaro Hara.
> 
> Source/WebCore:
> 
> Check for empty handles (indicating exception thrown) after calls
> into V8 VM.
> 
> Added new case from Khronos typed array conformance tests to
> fast/canvas/webgl/array-unit-tests.html.
> 
> * bindings/v8/custom/V8ArrayBufferViewCustom.h:
> (WebCore::constructWebGLArray):
>     Check for empty handles after calls into V8 VM.
> 
> LayoutTests:
> 
> Updated typed array tests to latest version from Khronos repository.
> 
> * fast/canvas/webgl/array-unit-tests-expected.txt:
> * fast/canvas/webgl/array-unit-tests.html:
>


[email protected]
Review URL: https://codereview.chromium.org/11889014

Modified Paths

branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt
branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests.html
branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h

Diff

Modified: branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt (139639 => 139640)


--- branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt	2013-01-14 20:17:58 UTC (rev 139639)
+++ branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests-expected.txt	2013-01-14 20:23:02 UTC (rev 139640)
@@ -37,6 +37,7 @@
 PASS Construction of Float32Array with null buffer threw exception
 PASS Construction of Float32Array with (null buffer, 0) threw exception
 PASS Construction of Float32Array with (null buffer, 0, 0) threw exception
+PASS Construction of Float32Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Float32Array with out-of-range number of elements threw an exception
 PASS Construction of Float32Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -92,6 +93,7 @@
 PASS Construction of Float64Array with null buffer threw exception
 PASS Construction of Float64Array with (null buffer, 0) threw exception
 PASS Construction of Float64Array with (null buffer, 0, 0) threw exception
+PASS Construction of Float64Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Float64Array with out-of-range number of elements threw an exception
 PASS Construction of Float64Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -148,6 +150,7 @@
 PASS Construction of Int8Array with null buffer threw exception
 PASS Construction of Int8Array with (null buffer, 0) threw exception
 PASS Construction of Int8Array with (null buffer, 0, 0) threw exception
+PASS Construction of Int8Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Int8Array with out-of-range number of elements threw an exception
 PASS Construction of Int8Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -199,6 +202,7 @@
 PASS Construction of Int16Array with null buffer threw exception
 PASS Construction of Int16Array with (null buffer, 0) threw exception
 PASS Construction of Int16Array with (null buffer, 0, 0) threw exception
+PASS Construction of Int16Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Int16Array with out-of-range number of elements threw an exception
 PASS Construction of Int16Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -255,6 +259,7 @@
 PASS Construction of Int32Array with null buffer threw exception
 PASS Construction of Int32Array with (null buffer, 0) threw exception
 PASS Construction of Int32Array with (null buffer, 0, 0) threw exception
+PASS Construction of Int32Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Int32Array with out-of-range number of elements threw an exception
 PASS Construction of Int32Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -311,6 +316,7 @@
 PASS Construction of Uint8Array with null buffer threw exception
 PASS Construction of Uint8Array with (null buffer, 0) threw exception
 PASS Construction of Uint8Array with (null buffer, 0, 0) threw exception
+PASS Construction of Uint8Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Uint8Array with out-of-range number of elements threw an exception
 PASS Construction of Uint8Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -362,6 +368,7 @@
 PASS Construction of Uint8ClampedArray with null buffer threw exception
 PASS Construction of Uint8ClampedArray with (null buffer, 0) threw exception
 PASS Construction of Uint8ClampedArray with (null buffer, 0, 0) threw exception
+PASS Construction of Uint8ClampedArray with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Uint8ClampedArray with out-of-range number of elements threw an exception
 PASS Construction of Uint8ClampedArray with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -413,6 +420,7 @@
 PASS Construction of Uint16Array with null buffer threw exception
 PASS Construction of Uint16Array with (null buffer, 0) threw exception
 PASS Construction of Uint16Array with (null buffer, 0, 0) threw exception
+PASS Construction of Uint16Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Uint16Array with out-of-range number of elements threw an exception
 PASS Construction of Uint16Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception
@@ -469,6 +477,7 @@
 PASS Construction of Uint32Array with null buffer threw exception
 PASS Construction of Uint32Array with (null buffer, 0) threw exception
 PASS Construction of Uint32Array with (null buffer, 0, 0) threw exception
+PASS Construction of Uint32Array with exception-throwing array-like object didn't crash unexpectedly
 PASS Construction of Uint32Array with out-of-range number of elements threw an exception
 PASS Construction of Uint32Array with out-of-range offset threw an exception
 PASS Construction of ArrayBuffer with negative size threw exception

Modified: branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests.html (139639 => 139640)


--- branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests.html	2013-01-14 20:17:58 UTC (rev 139639)
+++ branches/chromium/1364/LayoutTests/fast/canvas/webgl/array-unit-tests.html	2013-01-14 20:23:02 UTC (rev 139640)
@@ -544,6 +544,16 @@
     }
 }
 
+function testConstructionWithExceptionThrowingObject(type, name) {
+    var o = {};
+    Object.defineProperty(o, "length", { get: function() { throw "bail;" }});
+    try {
+        var array = new type(o);
+    } catch (e) {
+    }
+    testPassed("Construction of " + name + " with exception-throwing array-like object didn't crash unexpectedly");
+}
+
 function shouldThrowIndexSizeErr(func, text) {
     var errorText = text + " should throw an exception";
     try {
@@ -1063,6 +1073,7 @@
                                        testCase.testValues,
                                        testCase.expectedValues);
     testConstructionWithNullBuffer(type, name);
+    testConstructionWithExceptionThrowingObject(type, name);
     testConstructionWithOutOfRangeValues(type, name);
     testConstructionWithNegativeOutOfRangeValues(type, name);
     testConstructionWithUnalignedOffset(type, name, testCase.elementSizeInBytes);

Modified: branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h (139639 => 139640)


--- branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h	2013-01-14 20:17:58 UTC (rev 139639)
+++ branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h	2013-01-14 20:23:02 UTC (rev 139640)
@@ -171,7 +171,12 @@
         srcArray = args[0]->ToObject();
         if (srcArray.IsEmpty())
             return throwTypeError("Could not convert argument 0 to an array", args.GetIsolate());
-        len = toUInt32(srcArray->Get(v8::String::NewSymbol("length")));
+        v8::Local<v8::Value> val = srcArray->Get(v8::String::NewSymbol("length"));
+        if (val.IsEmpty()) {
+            // Exception thrown during fetch of length property.
+            return v8Undefined();
+        }
+        len = toUInt32(val);
         doInstantiation = true;
     } else {
         bool ok = false;
@@ -208,8 +213,14 @@
     if (!srcArray.IsEmpty()) {
         bool copied = copyElements(args.Holder(), srcArray, len, 0, args.GetIsolate());
         if (!copied) {
-            for (unsigned i = 0; i < len; i++)
-                array->set(i, srcArray->Get(i)->NumberValue());
+            for (unsigned i = 0; i < len; i++) {
+                v8::Local<v8::Value> val = srcArray->Get(i);
+                if (val.IsEmpty()) {
+                    // Exception thrown during fetch.
+                    return v8Undefined();
+                }
+                array->set(i, val->NumberValue());
+            }
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes