Changeset 209032 in webkit
- Timestamp:
- Nov 28, 2016 3:38:17 PM (7 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r209031 r209032 1 2016-11-28 Mark Lam <mark.lam@apple.com> 2 3 Fix exception scope verification failures in JSFunction.cpp. 4 https://bugs.webkit.org/show_bug.cgi?id=165021 5 6 Reviewed by Saam Barati. 7 8 * runtime/JSFunction.cpp: 9 (JSC::JSFunction::put): 10 (JSC::JSFunction::defineOwnProperty): 11 1 12 2016-11-28 Mark Lam <mark.lam@apple.com> 2 13 -
trunk/Source/JavaScriptCore/runtime/JSFunction.cpp
r208320 r209032 426 426 JSFunction* thisObject = jsCast<JSFunction*>(cell); 427 427 428 if (UNLIKELY(isThisValueAltered(slot, thisObject))) 428 if (UNLIKELY(isThisValueAltered(slot, thisObject))) { 429 scope.release(); 429 430 return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()); 431 } 430 432 431 433 if (thisObject->isHostOrBuiltinFunction()) { … … 433 435 if (propType == LazyPropertyType::IsLazyProperty) 434 436 slot.disableCaching(); 437 scope.release(); 435 438 return Base::put(thisObject, exec, propertyName, value, slot); 436 439 } … … 455 458 // these properties are not lazy and should not need to be reified. (https://bugs.webkit.org/show_bug.cgi?id=163579) 456 459 bool okay = thisObject->hasProperty(exec, propertyName); 460 RETURN_IF_EXCEPTION(scope, false); 457 461 ASSERT_UNUSED(okay, okay); 458 462 scope.release(); … … 498 502 if (thisObject->isHostOrBuiltinFunction()) { 499 503 thisObject->reifyBoundNameIfNeeded(vm, exec, propertyName); 504 scope.release(); 500 505 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 501 506 } … … 508 513 if (thisObject->m_rareData) 509 514 thisObject->m_rareData->clear("Store to prototype property of a function"); 515 scope.release(); 510 516 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 511 517 } … … 516 522 if (thisObject->jsExecutable()->isClass()) { 517 523 thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName); 524 scope.release(); 518 525 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 519 526 } … … 521 528 if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot)) 522 529 thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor); 530 scope.release(); 523 531 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 524 532 } … … 528 536 if (thisObject->jsExecutable()->isClass()) { 529 537 thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName); 538 scope.release(); 530 539 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 531 540 } … … 533 542 if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot)) 534 543 thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor); 544 scope.release(); 535 545 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 536 546 } … … 538 548 } else { 539 549 thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName); 550 scope.release(); 540 551 return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException); 541 552 }
Note: See TracChangeset
for help on using the changeset viewer.