Changeset 204388 in webkit


Ignore:
Timestamp:
Aug 11, 2016 2:21:55 PM (8 years ago)
Author:
mark.lam@apple.com
Message:

The jsc shell's Element host constructor should throw if it fails to construct an object.
https://bugs.webkit.org/show_bug.cgi?id=160773
<rdar://problem/27328608>

Reviewed by Saam Barati.

JSTests:

  • stress/generational-opaque-roots.js:

Source/JavaScriptCore:

The Element object is a test object provided in the jsc shell for testing use only.
JavaScriptCore expects host constructors to either throw an error or return a
constructed object. Element has a host constructor that did not obey this contract.
As a result, the following statement will fail a RELEASE_ASSERT:

new (Element.bind())

This is now fixed.

  • jsc.cpp:

(functionCreateElement):

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r204387 r204388  
    1 2016-08-10  Mark Lam  <mark.lam@apple.com>
     12016-08-11  Mark Lam  <mark.lam@apple.com>
     2
     3        The jsc shell's Element host constructor should throw if it fails to construct an object.
     4        https://bugs.webkit.org/show_bug.cgi?id=160773
     5        <rdar://problem/27328608>
     6
     7        Reviewed by Saam Barati.
     8
     9        * stress/generational-opaque-roots.js:
     10
     112016-08-11  Mark Lam  <mark.lam@apple.com>
    212
    313        Disallow synchronous sweeping for eden GCs.

  • trunk/JSTests/stress/generational-opaque-roots.js

    r164935 r204388  
    11// Tests that opaque roots behave correctly during young generation collections
     2
     3try {
     4    // regression test for bug 160773.  This should not crash.
     5    new (Element.bind());
     6} catch(e) {
     7}
    28
    39// Create the primary Root.

  • trunk/Source/JavaScriptCore/ChangeLog

    r204387 r204388  
    1 2016-08-10  Mark Lam  <mark.lam@apple.com>
     12016-08-11  Mark Lam  <mark.lam@apple.com>
     2
     3        The jsc shell's Element host constructor should throw if it fails to construct an object.
     4        https://bugs.webkit.org/show_bug.cgi?id=160773
     5        <rdar://problem/27328608>
     6
     7        Reviewed by Saam Barati.
     8
     9        The Element object is a test object provided in the jsc shell for testing use only.
     10        JavaScriptCore expects host constructors to either throw an error or return a
     11        constructed object.  Element has a host constructor that did not obey this contract.
     12        As a result, the following statement will fail a RELEASE_ASSERT:
     13
     14            new (Element.bind())
     15
     16        This is now fixed.
     17
     18        * jsc.cpp:
     19        (functionCreateElement):
     20
     212016-08-11  Mark Lam  <mark.lam@apple.com>
    222
    323        Disallow synchronous sweeping for eden GCs.

  • trunk/Source/JavaScriptCore/jsc.cpp

    r204330 r204388  
    12321232    Root* root = jsDynamicCast<Root*>(exec->argument(0));
    12331233    if (!root)
    1234         return JSValue::encode(jsUndefined());
     1234        return JSValue::encode(exec->vm().throwException(exec, createError(exec, ASCIILiteral("Cannot create Element without a Root."))));
    12351235    return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), root));
    12361236}
Note: See TracChangeset for help on using the changeset viewer.