Changeset 209031 in webkit


Ignore:
Timestamp:
Nov 28, 2016 3:30:59 PM (7 years ago)
Author:
mark.lam@apple.com
Message:

Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
https://bugs.webkit.org/show_bug.cgi?id=165022

Reviewed by Saam Barati.

  • runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewFromIterator):
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):

  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::set):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):

  • runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncJoin):
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

Location:
trunk/Source/JavaScriptCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r209030 r209031  
     12016-11-28  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files.
     4        https://bugs.webkit.org/show_bug.cgi?id=165022
     5
     6        Reviewed by Saam Barati.
     7
     8        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
     9        (JSC::constructGenericTypedArrayViewFromIterator):
     10        (JSC::constructGenericTypedArrayViewWithArguments):
     11        (JSC::constructGenericTypedArrayView):
     12        * runtime/JSGenericTypedArrayViewInlines.h:
     13        (JSC::JSGenericTypedArrayView<Adaptor>::set):
     14        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
     15        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
     16        (JSC::speciesConstruct):
     17        (JSC::genericTypedArrayViewProtoFuncSet):
     18        (JSC::genericTypedArrayViewProtoFuncJoin):
     19        (JSC::genericTypedArrayViewProtoFuncSlice):
     20        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
     21
    1222016-11-28  Mark Lam  <mark.lam@apple.com>
    223

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

    r208985 r209031  
    101101
    102102    ViewClass* result = ViewClass::createUninitialized(exec, structure, storage.size());
    103     if (!result)
    104         RETURN_IF_EXCEPTION(scope, nullptr);
     103    ASSERT(!!scope.exception() == !result);
     104    if (UNLIKELY(!result))
     105        return nullptr;
    105106
    106107    for (unsigned i = 0; i < storage.size(); ++i) {
    107         if (!result->setIndex(exec, i, storage.at(i))) {
    108             ASSERT(scope.exception());
     108        bool success = result->setIndex(exec, i, storage.at(i));
     109        ASSERT(scope.exception() || success);
     110        if (!success)
    109111            return nullptr;
    110         }
    111112    }
    112113
     
    134135        }
    135136
     137        scope.release();
    136138        return ViewClass::create(exec, structure, buffer, offset, length);
    137139    }
     
    155157            PropertySlot lengthSlot(object, PropertySlot::InternalMethodType::VMInquiry);
    156158            object->getPropertySlot(exec, vm.propertyNames->length, lengthSlot);
     159            RETURN_IF_EXCEPTION(scope, nullptr);
    157160
    158161            JSValue iteratorFunc = object->get(exec, vm.propertyNames->iteratorSymbol);
     
    179182                    RETURN_IF_EXCEPTION(scope, nullptr);
    180183
     184                    scope.release();
    181185                    return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
    182186            }
     
    188192       
    189193        ViewClass* result = ViewClass::createUninitialized(exec, structure, length);
    190         if (!result) {
    191             ASSERT(scope.exception());
     194        ASSERT(!!scope.exception() == !result);
     195        if (UNLIKELY(!result))
    192196            return nullptr;
    193         }
    194197       
     198        scope.release();
    195199        if (!result->set(exec, 0, object, 0, length))
    196200            return nullptr;
     
    204208    unsigned length = firstValue.toIndex(exec, "length");
    205209    RETURN_IF_EXCEPTION(scope, nullptr);
     210    scope.release();
    206211    return ViewClass::create(exec, structure, length);
    207212}
     
    227232            return throwVMTypeError(exec, scope, ASCIILiteral("DataView constructor requires at least one argument."));
    228233
     234        scope.release();
    229235        return JSValue::encode(ViewClass::create(exec, structure, 0));
    230236    }
     
    252258    }
    253259
     260    scope.release();
    254261    return JSValue::encode(constructGenericTypedArrayViewWithArguments<ViewClass>(exec, structure, JSValue::encode(firstValue), offset, length));
    255262}

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

    r208985 r209031  
    264264    switch (ci->typedArrayStorageType) {
    265265    case TypeInt8:
     266        scope.release();
    266267        return setWithSpecificType<Int8Adaptor>(
    267268            exec, offset, jsCast<JSInt8Array*>(object), objectOffset, length, type);
    268269    case TypeInt16:
     270        scope.release();
    269271        return setWithSpecificType<Int16Adaptor>(
    270272            exec, offset, jsCast<JSInt16Array*>(object), objectOffset, length, type);
    271273    case TypeInt32:
     274        scope.release();
    272275        return setWithSpecificType<Int32Adaptor>(
    273276            exec, offset, jsCast<JSInt32Array*>(object), objectOffset, length, type);
    274277    case TypeUint8:
     278        scope.release();
    275279        return setWithSpecificType<Uint8Adaptor>(
    276280            exec, offset, jsCast<JSUint8Array*>(object), objectOffset, length, type);
    277281    case TypeUint8Clamped:
     282        scope.release();
    278283        return setWithSpecificType<Uint8ClampedAdaptor>(
    279284            exec, offset, jsCast<JSUint8ClampedArray*>(object), objectOffset, length, type);
    280285    case TypeUint16:
     286        scope.release();
    281287        return setWithSpecificType<Uint16Adaptor>(
    282288            exec, offset, jsCast<JSUint16Array*>(object), objectOffset, length, type);
    283289    case TypeUint32:
     290        scope.release();
    284291        return setWithSpecificType<Uint32Adaptor>(
    285292            exec, offset, jsCast<JSUint32Array*>(object), objectOffset, length, type);
    286293    case TypeFloat32:
     294        scope.release();
    287295        return setWithSpecificType<Float32Adaptor>(
    288296            exec, offset, jsCast<JSFloat32Array*>(object), objectOffset, length, type);
    289297    case TypeFloat64:
     298        scope.release();
    290299        return setWithSpecificType<Float64Adaptor>(
    291300            exec, offset, jsCast<JSFloat64Array*>(object), objectOffset, length, type);
     
    399408        if (descriptor.value()) {
    400409            PutPropertySlot unused(JSValue(thisObject), shouldThrow);
     410            scope.release();
    401411            return thisObject->put(thisObject, exec, propertyName, descriptor.value(), unused);
    402412        }
     
    404414    }
    405415   
     416    scope.release();
    406417    return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
    407418}

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

    r208767 r209031  
    5454    RETURN_IF_EXCEPTION(scope, nullptr);
    5555
    56     if (constructor.isUndefined())
     56    if (constructor.isUndefined()) {
     57        scope.release();
    5758        return defaultConstructor();
     59    }
    5860    if (!constructor.isObject()) {
    5961        throwTypeError(exec, scope, ASCIILiteral("constructor Property should not be null"));
     
    6466    RETURN_IF_EXCEPTION(scope, nullptr);
    6567
    66     if (species.isUndefinedOrNull())
     68    if (species.isUndefinedOrNull()) {
     69        scope.release();
    6770        return defaultConstructor();
     71    }
    6872
    6973    JSValue result = construct(exec, species, args, "species is not a constructor");
     
    136140    RETURN_IF_EXCEPTION(scope, encodedJSValue());
    137141
     142    scope.release();
    138143    thisObject->set(exec, offset, sourceArray, 0, length, CopyType::Unobservable);
    139144    return JSValue::encode(jsUndefined());
     
    274279            RETURN_IF_EXCEPTION(scope, encodedJSValue());
    275280        }
     281        scope.release();
    276282        return JSValue::encode(joiner.join(*exec));
    277283    };
     
    462468    switch (result->classInfo()->typedArrayStorageType) {
    463469    case TypeInt8:
     470        scope.release();
    464471        jsCast<JSInt8Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    465         break;
     472        return JSValue::encode(result);
    466473    case TypeInt16:
     474        scope.release();
    467475        jsCast<JSInt16Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    468         break;
     476        return JSValue::encode(result);
    469477    case TypeInt32:
     478        scope.release();
    470479        jsCast<JSInt32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    471         break;
     480        return JSValue::encode(result);
    472481    case TypeUint8:
     482        scope.release();
    473483        jsCast<JSUint8Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    474         break;
     484        return JSValue::encode(result);
    475485    case TypeUint8Clamped:
     486        scope.release();
    476487        jsCast<JSUint8ClampedArray*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    477         break;
     488        return JSValue::encode(result);
    478489    case TypeUint16:
     490        scope.release();
    479491        jsCast<JSUint16Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    480         break;
     492        return JSValue::encode(result);
    481493    case TypeUint32:
     494        scope.release();
    482495        jsCast<JSUint32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    483         break;
     496        return JSValue::encode(result);
    484497    case TypeFloat32:
     498        scope.release();
    485499        jsCast<JSFloat32Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    486         break;
     500        return JSValue::encode(result);
    487501    case TypeFloat64:
     502        scope.release();
    488503        jsCast<JSFloat64Array*>(result)->set(exec, 0, thisObject, begin, length, CopyType::LeftToRight);
    489         break;
     504        return JSValue::encode(result);
    490505    default:
    491506        RELEASE_ASSERT_NOT_REACHED();
    492507    }
    493 
    494     return JSValue::encode(result);
    495508}
    496509
     
    539552        Structure* structure = callee->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
    540553
     554        scope.release();
    541555        return JSValue::encode(ViewClass::create(
    542556            exec, structure, arrayBuffer,
Note: See TracChangeset for help on using the changeset viewer.