Add missing exception check in arrayProtoFuncLastIndexOf().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 31 Aug 2018 08:40:35 +0000 (08:40 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 31 Aug 2018 08:40:35 +0000 (08:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=189184
<rdar://problem/39785959>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/regress-189184.js: Added.

Source/JavaScriptCore:

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncLastIndexOf):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235540 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-189184.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp

index 456a8cf..fa5c6d6 100644 (file)
@@ -1,3 +1,13 @@
+2018-08-31  Mark Lam  <mark.lam@apple.com>
+
+        Add missing exception check in arrayProtoFuncLastIndexOf().
+        https://bugs.webkit.org/show_bug.cgi?id=189184
+        <rdar://problem/39785959>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/regress-189184.js: Added.
+
 2018-08-31  Saam barati  <sbarati@apple.com>
 
         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
diff --git a/JSTests/stress/regress-189184.js b/JSTests/stress/regress-189184.js
new file mode 100644 (file)
index 0000000..0670c75
--- /dev/null
@@ -0,0 +1,3 @@
+//@ runDefault
+// This test passes if it does not crash.
+['a'+0].lastIndexOf('a0');
index 26f9753..ee6c6ca 100644 (file)
@@ -1,3 +1,14 @@
+2018-08-31  Mark Lam  <mark.lam@apple.com>
+
+        Add missing exception check in arrayProtoFuncLastIndexOf().
+        https://bugs.webkit.org/show_bug.cgi?id=189184
+        <rdar://problem/39785959>
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncLastIndexOf):
+
 2018-08-31  Saam barati  <sbarati@apple.com>
 
         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
index cbf3d72..c4fa8b6 100644 (file)
@@ -1215,9 +1215,10 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncLastIndexOf(ExecState* exec)
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
         if (!e)
             continue;
-        if (JSValue::strictEqual(exec, searchElement, e))
-            return JSValue::encode(jsNumber(index));
+        bool isEqual = JSValue::strictEqual(exec, searchElement, e);
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        if (isEqual)
+            return JSValue::encode(jsNumber(index));
     } while (index--);
 
     return JSValue::encode(jsNumber(-1));