Merge r221711 - constructGenericTypedArrayViewWithArguments() is miss…

…ing an exception check. https://bugs.webkit.org/show_bug.cgi?id=176485 <rdar://problem/33898874> Reviewed by Keith Miller. JSTests: * stress/regress-176485.js: Added. Source/JavaScriptCore: * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayViewWithArguments):
WebKit · Nov 8, 2017 · ab9d166 · ab9d166
1 parent c3cc21a
commit ab9d166
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 2 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2017-09-06  Mark Lam  <mark.lam@apple.com>
+
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        <rdar://problem/33898874>
+
+        Reviewed by Keith Miller.
+
+        * stress/regress-176485.js: Added.
+
 2017-10-09  Oleksandr Skachkov  <gskachkov@gmail.com>
 
         Safari 10 /11 problem with if (!await get(something)).

diff --git a/JSTests/stress/regress-176485.js b/JSTests/stress/regress-176485.js
@@ -0,0 +1,11 @@
+var exception;
+try {
+    a2 = {};//some method ok//what ever object//Date()
+    Object.defineProperty(a2, "length",{get: Int32Array});//Int32Array here wrong,need a function
+    new Int32Array(this.a2);
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "TypeError: calling Int32Array constructor without new is invalid")
+    throw "Exception not thrown";
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2017-09-06  Mark Lam  <mark.lam@apple.com>
+
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        <rdar://problem/33898874>
+
+        Reviewed by Keith Miller.
+
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+
 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
 
         [mips] fix offsets of branches that have to go over a jump

diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
@@ -185,8 +185,14 @@ inline JSObject* constructGenericTypedArrayViewWithArguments(ExecState* exec, St
                     return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
             }
 
-            length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
-            RETURN_IF_EXCEPTION(scope, nullptr);
+            if (lengthSlot.isUnset())
+                length = 0;
+            else {
+                JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+                length = value.toUInt32(exec);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+            }
         }