Fix exception check accounting in JSDataView::defineOwnProperty().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 31 Aug 2018 16:05:22 +0000 (16:05 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 31 Aug 2018 16:05:22 +0000 (16:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=189186
<rdar://problem/39786049>

Reviewed by Michael Saboff.

JSTests:

* stress/regress-189186.js: Added.

Source/JavaScriptCore:

* runtime/JSDataView.cpp:
(JSC::JSDataView::defineOwnProperty):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235554 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-189186.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSDataView.cpp

index fa5c6d6..d81ab87 100644 (file)
@@ -1,5 +1,15 @@
 2018-08-31  Mark Lam  <mark.lam@apple.com>
 
+        Fix exception check accounting in JSDataView::defineOwnProperty().
+        https://bugs.webkit.org/show_bug.cgi?id=189186
+        <rdar://problem/39786049>
+
+        Reviewed by Michael Saboff.
+
+        * stress/regress-189186.js: Added.
+
+2018-08-31  Mark Lam  <mark.lam@apple.com>
+
         Add missing exception check in arrayProtoFuncLastIndexOf().
         https://bugs.webkit.org/show_bug.cgi?id=189184
         <rdar://problem/39785959>
diff --git a/JSTests/stress/regress-189186.js b/JSTests/stress/regress-189186.js
new file mode 100644 (file)
index 0000000..c620966
--- /dev/null
@@ -0,0 +1,4 @@
+//@ runDefault
+// This test passes if it does not crash.
+let x = new DataView(new ArrayBuffer(1));
+Object.defineProperty(x, 'foo', {});
index ee6c6ca..86130cc 100644 (file)
@@ -1,5 +1,16 @@
 2018-08-31  Mark Lam  <mark.lam@apple.com>
 
+        Fix exception check accounting in JSDataView::defineOwnProperty().
+        https://bugs.webkit.org/show_bug.cgi?id=189186
+        <rdar://problem/39786049>
+
+        Reviewed by Michael Saboff.
+
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::defineOwnProperty):
+
+2018-08-31  Mark Lam  <mark.lam@apple.com>
+
         Add missing exception check in arrayProtoFuncLastIndexOf().
         https://bugs.webkit.org/show_bug.cgi?id=189184
         <rdar://problem/39785959>
index 9aa81b3..a7f57ce 100644 (file)
@@ -151,6 +151,7 @@ bool JSDataView::defineOwnProperty(
         || propertyName == vm.propertyNames->byteOffset)
         return typeError(exec, scope, shouldThrow, "Attempting to define read-only typed array property."_s);
 
+    scope.release();
     return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
 }