Changeset 208936 in webkit


Ignore:
Timestamp:
Nov 20, 2016 5:33:09 PM (7 years ago)
Author:
mark.lam@apple.com
Message:

Fix exception scope verification failures in CommonSlowPaths.cpp/h.
https://bugs.webkit.org/show_bug.cgi?id=164975

Reviewed by Darin Adler.

  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

  • runtime/CommonSlowPaths.h:

(JSC::CommonSlowPaths::opIn):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r208935 r208936  
     12016-11-20  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix exception scope verification failures in CommonSlowPaths.cpp/h.
     4        https://bugs.webkit.org/show_bug.cgi?id=164975
     5
     6        Reviewed by Darin Adler.
     7
     8        * runtime/CommonSlowPaths.cpp:
     9        (JSC::SLOW_PATH_DECL):
     10        * runtime/CommonSlowPaths.h:
     11        (JSC::CommonSlowPaths::opIn):
     12
    1132016-11-20  Mark Lam  <mark.lam@apple.com>
    214

  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

    r208819 r208936  
    182182        vm.topCallFrame = exec;
    183183        ErrorHandlingScope errorScope(vm);
     184        throwScope.release();
    184185        CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));
    185186        RETURN_TWO(bitwise_cast<void*>(static_cast<uintptr_t>(1)), exec);
     
    444445    arithProfile.observeLHSAndRHS(v1, v2);
    445446
    446     if (v1.isString() && !v2.isObject())
    447         result = jsString(exec, asString(v1), v2.toString(exec));
    448     else if (v1.isNumber() && v2.isNumber())
     447    if (v1.isString() && !v2.isObject()) {
     448        JSString* v2String = v2.toString(exec);
     449        if (LIKELY(!throwScope.exception()))
     450            result = jsString(exec, asString(v1), v2String);
     451    } else if (v1.isNumber() && v2.isNumber())
    449452        result = jsNumber(v1.asNumber() + v2.asNumber());
    450453    else
     
    825828        if (resolvedScope->isGlobalObject()) {
    826829            JSGlobalObject* globalObject = jsCast<JSGlobalObject*>(resolvedScope);
    827             if (globalObject->hasProperty(exec, ident)) {
     830            bool hasProperty = globalObject->hasProperty(exec, ident);
     831            CHECK_EXCEPTION();
     832            if (hasProperty) {
    828833                ConcurrentJSLocker locker(exec->codeBlock()->m_lock);
    829834                if (resolveType == UnresolvedProperty)

  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

    r208761 r208936  
    8484
    8585    uint32_t i;
    86     if (propName.getUInt32(i))
     86    if (propName.getUInt32(i)) {
     87        scope.release();
    8788        return baseObj->hasProperty(exec, i);
     89    }
    8890
    8991    auto property = propName.toPropertyKey(exec);
    9092    RETURN_IF_EXCEPTION(scope, false);
     93    scope.release();
    9194    return baseObj->hasProperty(exec, property);
    9295}
Note: See TracChangeset for help on using the changeset viewer.