https://bugs.webkit.org/show_bug.cgi?id=172346
<rdar://problem/
32289640>
Reviewed by Geoffrey Garen.
JSTests:
* stress/regress-172346.js: Added.
Source/JavaScriptCore:
* runtime/JSObject.cpp:
(JSC::JSObject::hasInstance):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@217157
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
2017-05-19 Mark Lam <mark.lam@apple.com>
+ Add missing exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=172346
+ <rdar://problem/32289640>
+
+ Reviewed by Geoffrey Garen.
+
+ * stress/regress-172346.js: Added.
+
+2017-05-19 Mark Lam <mark.lam@apple.com>
+
DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
https://bugs.webkit.org/show_bug.cgi?id=172383
<rdar://problem/31418651>
--- /dev/null
+function test(){
+ var get = [];
+ var p = new Proxy(Function(), { get:function(){ return Proxy; }});
+ ({}) instanceof p;
+}
+
+var exception;
+try {
+ test();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "TypeError: calling Proxy constructor without new is invalid")
+ throw "FAILED";
+
2017-05-19 Mark Lam <mark.lam@apple.com>
+ Add missing exception check.
+ https://bugs.webkit.org/show_bug.cgi?id=172346
+ <rdar://problem/32289640>
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::hasInstance):
+
+2017-05-19 Mark Lam <mark.lam@apple.com>
+
DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
https://bugs.webkit.org/show_bug.cgi?id=172383
<rdar://problem/31418651>
MarkedArgumentBuffer args;
args.append(value);
JSValue result = call(exec, hasInstanceValue, callType, callData, this, args);
+ RETURN_IF_EXCEPTION(scope, false);
return result.toBoolean(exec);
}
git://git.webkit.org / WebKit-https.git / commitdiff