From ab9d166c6e21bb6332bfaebc64108bb98d6b064b Mon Sep 17 00:00:00 2001 From: Mark Lam Date: Wed, 8 Nov 2017 08:22:40 +0000 Subject: [PATCH] Merge r221711 - constructGenericTypedArrayViewWithArguments() is missing an exception check. https://bugs.webkit.org/show_bug.cgi?id=176485 Reviewed by Keith Miller. JSTests: * stress/regress-176485.js: Added. Source/JavaScriptCore: * runtime/JSGenericTypedArrayViewConstructorInlines.h: (JSC::constructGenericTypedArrayViewWithArguments): --- JSTests/ChangeLog | 10 ++++++++++ JSTests/stress/regress-176485.js | 11 +++++++++++ Source/JavaScriptCore/ChangeLog | 11 +++++++++++ .../JSGenericTypedArrayViewConstructorInlines.h | 10 ++++++++-- 4 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 JSTests/stress/regress-176485.js diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog index 3308d7bb567f..00f35e1b37a7 100644 --- a/JSTests/ChangeLog +++ b/JSTests/ChangeLog @@ -1,3 +1,13 @@ +2017-09-06 Mark Lam + + constructGenericTypedArrayViewWithArguments() is missing an exception check. + https://bugs.webkit.org/show_bug.cgi?id=176485 + + + Reviewed by Keith Miller. + + * stress/regress-176485.js: Added. + 2017-10-09 Oleksandr Skachkov Safari 10 /11 problem with if (!await get(something)). diff --git a/JSTests/stress/regress-176485.js b/JSTests/stress/regress-176485.js new file mode 100644 index 000000000000..20fe84315670 --- /dev/null +++ b/JSTests/stress/regress-176485.js @@ -0,0 +1,11 @@ +var exception; +try { + a2 = {};//some method ok//what ever object//Date() + Object.defineProperty(a2, "length",{get: Int32Array});//Int32Array here wrong,need a function + new Int32Array(this.a2); +} catch (e) { + exception = e; +} + +if (exception != "TypeError: calling Int32Array constructor without new is invalid") + throw "Exception not thrown"; diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index abf59b3e5b8d..a4b4a83730cb 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,14 @@ +2017-09-06 Mark Lam + + constructGenericTypedArrayViewWithArguments() is missing an exception check. + https://bugs.webkit.org/show_bug.cgi?id=176485 + + + Reviewed by Keith Miller. + + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructGenericTypedArrayViewWithArguments): + 2017-10-24 Guillaume Emont [mips] fix offsets of branches that have to go over a jump diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h index c1c78929cf8e..0eae871067ed 100644 --- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h +++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h @@ -185,8 +185,14 @@ inline JSObject* constructGenericTypedArrayViewWithArguments(ExecState* exec, St return constructGenericTypedArrayViewFromIterator(exec, structure, iterator); } - length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec); - RETURN_IF_EXCEPTION(scope, nullptr); + if (lengthSlot.isUnset()) + length = 0; + else { + JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length); + RETURN_IF_EXCEPTION(scope, nullptr); + length = value.toUInt32(exec); + RETURN_IF_EXCEPTION(scope, nullptr); + } }