Changeset 209032 in webkit


Ignore:
Timestamp:
Nov 28, 2016 3:38:17 PM (7 years ago)
Author:
mark.lam@apple.com
Message:

Fix exception scope verification failures in JSFunction.cpp.
https://bugs.webkit.org/show_bug.cgi?id=165021

Reviewed by Saam Barati.

  • runtime/JSFunction.cpp:

(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r209031 r209032  
     12016-11-28  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix exception scope verification failures in JSFunction.cpp.
     4        https://bugs.webkit.org/show_bug.cgi?id=165021
     5
     6        Reviewed by Saam Barati.
     7
     8        * runtime/JSFunction.cpp:
     9        (JSC::JSFunction::put):
     10        (JSC::JSFunction::defineOwnProperty):
     11
    1122016-11-28  Mark Lam  <mark.lam@apple.com>
    213
  • trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

    r208320 r209032  
    426426    JSFunction* thisObject = jsCast<JSFunction*>(cell);
    427427
    428     if (UNLIKELY(isThisValueAltered(slot, thisObject)))
     428    if (UNLIKELY(isThisValueAltered(slot, thisObject))) {
     429        scope.release();
    429430        return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
     431    }
    430432
    431433    if (thisObject->isHostOrBuiltinFunction()) {
     
    433435        if (propType == LazyPropertyType::IsLazyProperty)
    434436            slot.disableCaching();
     437        scope.release();
    435438        return Base::put(thisObject, exec, propertyName, value, slot);
    436439    }
     
    455458            // these properties are not lazy and should not need to be reified. (https://bugs.webkit.org/show_bug.cgi?id=163579)
    456459            bool okay = thisObject->hasProperty(exec, propertyName);
     460            RETURN_IF_EXCEPTION(scope, false);
    457461            ASSERT_UNUSED(okay, okay);
    458462            scope.release();
     
    498502    if (thisObject->isHostOrBuiltinFunction()) {
    499503        thisObject->reifyBoundNameIfNeeded(vm, exec, propertyName);
     504        scope.release();
    500505        return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    501506    }
     
    508513        if (thisObject->m_rareData)
    509514            thisObject->m_rareData->clear("Store to prototype property of a function");
     515        scope.release();
    510516        return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    511517    }
     
    516522            if (thisObject->jsExecutable()->isClass()) {
    517523                thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
     524                scope.release();
    518525                return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    519526            }
     
    521528            if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
    522529                thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
     530            scope.release();
    523531            return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    524532        }
     
    528536            if (thisObject->jsExecutable()->isClass()) {
    529537                thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
     538                scope.release();
    530539                return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    531540            }
     
    533542            if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
    534543                thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
     544            scope.release();
    535545            return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    536546        }
     
    538548    } else {
    539549        thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
     550        scope.release();
    540551        return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
    541552    }
Note: See TracChangeset for help on using the changeset viewer.