Changeset 221711 in webkit
- Timestamp:
- Sep 6, 2017, 5:57:35 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/regress-176485.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r221657 r221711 1 2017-09-06 Mark Lam <mark.lam@apple.com> 2 3 constructGenericTypedArrayViewWithArguments() is missing an exception check. 4 https://bugs.webkit.org/show_bug.cgi?id=176485 5 <rdar://problem/33898874> 6 7 Reviewed by Keith Miller. 8 9 * stress/regress-176485.js: Added. 10 1 11 2017-09-05 Saam Barati <sbarati@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r221703 r221711 1 2017-09-06 Mark Lam <mark.lam@apple.com> 2 3 constructGenericTypedArrayViewWithArguments() is missing an exception check. 4 https://bugs.webkit.org/show_bug.cgi?id=176485 5 <rdar://problem/33898874> 6 7 Reviewed by Keith Miller. 8 9 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 10 (JSC::constructGenericTypedArrayViewWithArguments): 11 1 12 2017-09-06 Saam Barati <sbarati@apple.com> 2 13 -
trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
r218082 r221711 186 186 } 187 187 188 length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec); 189 RETURN_IF_EXCEPTION(scope, nullptr); 188 if (lengthSlot.isUnset()) 189 length = 0; 190 else { 191 JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length); 192 RETURN_IF_EXCEPTION(scope, nullptr); 193 length = value.toUInt32(exec); 194 RETURN_IF_EXCEPTION(scope, nullptr); 195 } 190 196 } 191 197
Note:
See TracChangeset
for help on using the changeset viewer.
