From 7f2f30b9a8a814e621331ed88afde80bb228fbc2 Mon Sep 17 00:00:00 2001
From: "mark.lam@apple.com"
 <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri, 31 Aug 2018 16:05:22 +0000
Subject: [PATCH] Fix exception check accounting in
 JSDataView::defineOwnProperty().
 https://bugs.webkit.org/show_bug.cgi?id=189186 <rdar://problem/39786049>

Reviewed by Michael Saboff.

JSTests:

* stress/regress-189186.js: Added.

Source/JavaScriptCore:

* runtime/JSDataView.cpp:
(JSC::JSDataView::defineOwnProperty):


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235554 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 JSTests/ChangeLog                            | 10 ++++++++++
 JSTests/stress/regress-189186.js             |  4 ++++
 Source/JavaScriptCore/ChangeLog              | 11 +++++++++++
 Source/JavaScriptCore/runtime/JSDataView.cpp |  1 +
 4 files changed, 26 insertions(+)
 create mode 100644 JSTests/stress/regress-189186.js

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index fa5c6d6..d81ab87 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,5 +1,15 @@
 2018-08-31  Mark Lam  <mark.lam@apple.com>
 
+        Fix exception check accounting in JSDataView::defineOwnProperty().
+        https://bugs.webkit.org/show_bug.cgi?id=189186
+        <rdar://problem/39786049>
+
+        Reviewed by Michael Saboff.
+
+        * stress/regress-189186.js: Added.
+
+2018-08-31  Mark Lam  <mark.lam@apple.com>
+
         Add missing exception check in arrayProtoFuncLastIndexOf().
         https://bugs.webkit.org/show_bug.cgi?id=189184
         <rdar://problem/39785959>
diff --git a/JSTests/stress/regress-189186.js b/JSTests/stress/regress-189186.js
new file mode 100644
index 0000000..c620966
--- /dev/null
+++ b/JSTests/stress/regress-189186.js
@@ -0,0 +1,4 @@
+//@ runDefault
+// This test passes if it does not crash.
+let x = new DataView(new ArrayBuffer(1));
+Object.defineProperty(x, 'foo', {});
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index ee6c6ca..86130cc 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,16 @@
 2018-08-31  Mark Lam  <mark.lam@apple.com>
 
+        Fix exception check accounting in JSDataView::defineOwnProperty().
+        https://bugs.webkit.org/show_bug.cgi?id=189186
+        <rdar://problem/39786049>
+
+        Reviewed by Michael Saboff.
+
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::defineOwnProperty):
+
+2018-08-31  Mark Lam  <mark.lam@apple.com>
+
         Add missing exception check in arrayProtoFuncLastIndexOf().
         https://bugs.webkit.org/show_bug.cgi?id=189184
         <rdar://problem/39785959>
diff --git a/Source/JavaScriptCore/runtime/JSDataView.cpp b/Source/JavaScriptCore/runtime/JSDataView.cpp
index 9aa81b3..a7f57ce 100644
--- a/Source/JavaScriptCore/runtime/JSDataView.cpp
+++ b/Source/JavaScriptCore/runtime/JSDataView.cpp
@@ -151,6 +151,7 @@ bool JSDataView::defineOwnProperty(
         || propertyName == vm.propertyNames->byteOffset)
         return typeError(exec, scope, shouldThrow, "Attempting to define read-only typed array property."_s);
 
+    scope.release();
     return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
 }
 
-- 
1.8.3.1