Changeset 207906 in webkit


Ignore:
Timestamp:
Oct 26, 2016 12:23:55 PM (7 years ago)
Author:
mark.lam@apple.com
Message:

JSGenericTypedArrayView::set() should check for exceptions.
https://bugs.webkit.org/show_bug.cgi?id=164007
<rdar://problem/28853775>

Reviewed by Filip Pizlo.

JSTests:

  • stress/typed-array-view-set-should-not-crash-on-exception.js: Added.

Source/JavaScriptCore:

  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::set):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r207861 r207906  
     12016-10-26  Mark Lam  <mark.lam@apple.com>
     2
     3        JSGenericTypedArrayView::set() should check for exceptions.
     4        https://bugs.webkit.org/show_bug.cgi?id=164007
     5        <rdar://problem/28853775>
     6
     7        Reviewed by Filip Pizlo.
     8
     9        * stress/typed-array-view-set-should-not-crash-on-exception.js: Added.
     10
    1112016-10-25  Mark Lam  <mark.lam@apple.com>
    212

  • trunk/Source/JavaScriptCore/ChangeLog

    r207869 r207906  
     12016-10-26  Mark Lam  <mark.lam@apple.com>
     2
     3        JSGenericTypedArrayView::set() should check for exceptions.
     4        https://bugs.webkit.org/show_bug.cgi?id=164007
     5        <rdar://problem/28853775>
     6
     7        Reviewed by Filip Pizlo.
     8
     9        * runtime/JSGenericTypedArrayViewInlines.h:
     10        (JSC::JSGenericTypedArrayView<Adaptor>::set):
     11
    1122016-10-25  Yusuke Suzuki  <utatane.tea@gmail.com>
    213

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

    r207859 r207906  
    243243    ExecState* exec, unsigned offset, JSObject* object, unsigned objectOffset, unsigned length, CopyType type)
    244244{
     245    VM& vm = exec->vm();
     246    auto scope = DECLARE_THROW_SCOPE(vm);
     247
    245248    const ClassInfo* ci = object->classInfo();
    246249    if (ci->typedArrayStorageType == Adaptor::typeValue) {
     
    250253       
    251254        RELEASE_ASSERT(other->canAccessRangeQuickly(objectOffset, length));
    252         if (!validateRange(exec, offset, length))
     255        bool success = validateRange(exec, offset, length);
     256        ASSERT(!scope.exception() == success);
     257        if (!success)
    253258            return false;
    254259
     
    287292    case NotTypedArray:
    288293    case TypeDataView: {
    289         if (!validateRange(exec, offset, length))
     294        bool success = validateRange(exec, offset, length);
     295        ASSERT(!scope.exception() == success);
     296        if (!success)
    290297            return false;
    291298
     
    293300        for (unsigned i = 0; i < length; ++i) {
    294301            JSValue value = object->get(exec, i + objectOffset);
    295             if (!setIndex(exec, offset + i, value))
     302            RETURN_IF_EXCEPTION(scope, false);
     303            bool success = setIndex(exec, offset + i, value);
     304            ASSERT(!scope.exception() || !success);
     305            if (!success)
    296306                return false;
    297307        }
Note: See TracChangeset for help on using the changeset viewer.