Context Navigation

Changeset 221711 in webkit

Timestamp:

Sep 6, 2017 5:57:35 PM (7 years ago)

Author:

mark.lam@apple.com

Message:

constructGenericTypedArrayViewWithArguments() is missing an exception check.
https://bugs.webkit.org/show_bug.cgi?id=176485
<rdar://problem/33898874>

Reviewed by Keith Miller.

JSTests:

Source/JavaScriptCore:

(JSC::constructGenericTypedArrayViewWithArguments):

Location:

trunk

Files:

-                      r221657
+                      r221711
+-09-06  Mark Lam  <mark.lam@apple.com>
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        <rdar://problem/33898874>
+        Reviewed by Keith Miller.
+        * stress/regress-176485.js: Added.
 -09-05  Saam Barati  <sbarati@apple.com>

-                      r221703
+                      r221711
+-09-06  Mark Lam  <mark.lam@apple.com>
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        <rdar://problem/33898874>
+        Reviewed by Keith Miller.
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
 -09-06  Saam Barati  <sbarati@apple.com>

-                      r218082
+                      r221711
+            }
+            length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
+            RETURN_IF_EXCEPTION(scope, nullptr);
+            if (lengthSlot.isUnset())
+                length = 0;
+            else {
+                JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+                length = value.toUInt32(exec);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+            }
+        }

Note: See TracChangeset for help on using the changeset viewer.