<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197794] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197794">197794</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2016-03-08 12:57:25 -0800 (Tue, 08 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
https://bugs.webkit.org/show_bug.cgi?id=155169
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
With the exception checks, we may end up throwing new exceptions over an existing
one that has been thrown but not handled yet, thereby obscuring it. It may also
mean that the VM will continue running on potentially unstable state, which may
have undesirable consequences.
I first observed this in some failed assertion while running tests on a patch for
https://bugs.webkit.org/show_bug.cgi?id=154865.
Performance is neutral with this patch (tested on x86_64).
1. Deleted JSNotAnObject, and removed all uses of it.
2. Added exception checks, when needed, following calls to synthesizePrototype()
and JSValue::toObject().
The cases that do not need an exception check are the ones that already ensures
that JSValue::toObject() is only called on a value that is convertible to an
object. In those cases, I added an assertion that no exception was thrown
after the call.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStackFromException):
* interpreter/Interpreter.cpp:
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::arrayProtoFuncValues):
(JSC::arrayProtoFuncEntries):
(JSC::arrayProtoFuncKeys):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/ExceptionHelpers.cpp:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toObjectSlowCase):
(JSC::JSValue::toThisSlowCase):
(JSC::JSValue::synthesizePrototype):
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::getPropertySlot):
(JSC::JSValue::get):
* runtime/JSFunction.cpp:
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoGetter):
* runtime/JSNotAnObject.cpp: Removed.
* runtime/JSNotAnObject.h: Removed.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorDefineProperties):
(JSC::objectConstructorCreate):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncToString):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
Source/WebCore:
No new tests because this issue is covered by existing tests when the fix for
https://bugs.webkit.org/show_bug.cgi?id=154865 lands. That patch is waiting for
this patch to land first so as to not introduce test failures.
* Modules/plugins/QuickTimePluginReplacement.mm:
(WebCore::QuickTimePluginReplacement::installReplacement):
* bindings/js/JSDeviceMotionEventCustom.cpp:
(WebCore::readAccelerationArgument):
(WebCore::readRotationRateArgument):
* bindings/js/JSGeolocationCustom.cpp:
(WebCore::createPositionOptions):
* bindings/js/JSHTMLCanvasElementCustom.cpp:
(WebCore::get3DContextAttributes):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateConstructorDefinition):
* bindings/scripts/test/JS/JSTestEventConstructor.cpp:
(WebCore::JSTestEventConstructorConstructor::construct):
* contentextensions/ContentExtensionParser.cpp:
(WebCore::ContentExtensions::getTypeFlags):
* html/HTMLMediaElement.cpp:
(WebCore::setPageScaleFactorProperty):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorScriptCallStackFactorycpp">trunk/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypecpp">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExceptionHelperscpp">trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValuecpp">trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValueInlinesh">trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectConstructorcpp">trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectPrototypecpp">trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModulespluginsQuickTimePluginReplacementmm">trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDeviceMotionEventCustomcpp">trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSGeolocationCustomcpp">trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSHTMLCanvasElementCustomcpp">trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestEventConstructorcpp">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp</a></li>
<li><a href="#trunkSourceWebCorecontentextensionsContentExtensionParsercpp">trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLMediaElementcpp">trunk/Source/WebCore/html/HTMLMediaElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLPlugInImageElementcpp">trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSNotAnObjectcpp">trunk/Source/JavaScriptCore/runtime/JSNotAnObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSNotAnObjecth">trunk/Source/JavaScriptCore/runtime/JSNotAnObject.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -709,7 +709,6 @@
</span><span class="cx"> runtime/JSModuleNamespaceObject.cpp
</span><span class="cx"> runtime/JSModuleRecord.cpp
</span><span class="cx"> runtime/JSNativeStdFunction.cpp
</span><del>- runtime/JSNotAnObject.cpp
</del><span class="cx"> runtime/JSONObject.cpp
</span><span class="cx"> runtime/JSObject.cpp
</span><span class="cx"> runtime/JSPromise.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -1,3 +1,82 @@
</span><ins>+2016-03-08 Mark Lam <mark.lam@apple.com>
+
+ synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
+ https://bugs.webkit.org/show_bug.cgi?id=155169
+
+ Reviewed by Geoffrey Garen.
+
+ With the exception checks, we may end up throwing new exceptions over an existing
+ one that has been thrown but not handled yet, thereby obscuring it. It may also
+ mean that the VM will continue running on potentially unstable state, which may
+ have undesirable consequences.
+
+ I first observed this in some failed assertion while running tests on a patch for
+ https://bugs.webkit.org/show_bug.cgi?id=154865.
+
+ Performance is neutral with this patch (tested on x86_64).
+
+ 1. Deleted JSNotAnObject, and removed all uses of it.
+
+ 2. Added exception checks, when needed, following calls to synthesizePrototype()
+ and JSValue::toObject().
+
+ The cases that do not need an exception check are the ones that already ensures
+ that JSValue::toObject() is only called on a value that is convertible to an
+ object. In those cases, I added an assertion that no exception was thrown
+ after the call.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * inspector/ScriptCallStackFactory.cpp:
+ (Inspector::createScriptCallStackFromException):
+ * interpreter/Interpreter.cpp:
+ * jit/JITOperations.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncJoin):
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncPop):
+ (JSC::arrayProtoFuncPush):
+ (JSC::arrayProtoFuncReverse):
+ (JSC::arrayProtoFuncShift):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ (JSC::arrayProtoFuncUnShift):
+ (JSC::arrayProtoFuncIndexOf):
+ (JSC::arrayProtoFuncLastIndexOf):
+ (JSC::arrayProtoFuncValues):
+ (JSC::arrayProtoFuncEntries):
+ (JSC::arrayProtoFuncKeys):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/ExceptionHelpers.cpp:
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::toObjectSlowCase):
+ (JSC::JSValue::toThisSlowCase):
+ (JSC::JSValue::synthesizePrototype):
+ (JSC::JSValue::putToPrimitive):
+ (JSC::JSValue::putToPrimitiveByIndex):
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::getPropertySlot):
+ (JSC::JSValue::get):
+ * runtime/JSFunction.cpp:
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncProtoGetter):
+ * runtime/JSNotAnObject.cpp: Removed.
+ * runtime/JSNotAnObject.h: Removed.
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorDefineProperties):
+ (JSC::objectConstructorCreate):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::objectProtoFuncValueOf):
+ (JSC::objectProtoFuncHasOwnProperty):
+ (JSC::objectProtoFuncIsPrototypeOf):
+ (JSC::objectProtoFuncToString):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
</ins><span class="cx"> 2016-03-08 Oliver Hunt <oliver@apple.com>
</span><span class="cx">
</span><span class="cx"> Start moving to separated writable and executable mappings in the JIT
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -1687,7 +1687,6 @@
</span><span class="cx"> A72028B61797601E0098028C /* JSCTestRunnerUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A72028B41797601E0098028C /* JSCTestRunnerUtils.cpp */; };
</span><span class="cx"> A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B51797601E0098028C /* JSCTestRunnerUtils.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A72028BA1797603D0098028C /* JSFunctionInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A72028B91797603D0098028C /* JSFunctionInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>- A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A72700780DAC605600E548D7 /* JSNotAnObject.cpp */; };
</del><span class="cx"> A72701B90DADE94900E548D7 /* ExceptionHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = A72701B30DADE94900E548D7 /* ExceptionHelpers.h */; };
</span><span class="cx"> A7280A2811557E3000D56957 /* JSObjectRefPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = A79EDB0811531CD60019E912 /* JSObjectRefPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> A729009C17976C6000317298 /* MacroAssemblerARMv7.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */; };
</span><span class="lines">@@ -3889,8 +3888,6 @@
</span><span class="cx"> A72028B41797601E0098028C /* JSCTestRunnerUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCTestRunnerUtils.cpp; sourceTree = "<group>"; };
</span><span class="cx"> A72028B51797601E0098028C /* JSCTestRunnerUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCTestRunnerUtils.h; sourceTree = "<group>"; };
</span><span class="cx"> A72028B91797603D0098028C /* JSFunctionInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSFunctionInlines.h; sourceTree = "<group>"; };
</span><del>- A72700770DAC605600E548D7 /* JSNotAnObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSNotAnObject.h; sourceTree = "<group>"; };
- A72700780DAC605600E548D7 /* JSNotAnObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSNotAnObject.cpp; sourceTree = "<group>"; };
</del><span class="cx"> A72701B30DADE94900E548D7 /* ExceptionHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionHelpers.h; sourceTree = "<group>"; };
</span><span class="cx"> A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MacroAssemblerARMv7.cpp; sourceTree = "<group>"; };
</span><span class="cx"> A7299D9B17D12837005F5FF9 /* JSSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSet.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -5735,8 +5732,6 @@
</span><span class="cx"> E39DA4A51B7E8B7C0084F33A /* JSModuleRecord.h */,
</span><span class="cx"> E33E8D1A1B9013C300346B52 /* JSNativeStdFunction.cpp */,
</span><span class="cx"> E33E8D1B1B9013C300346B52 /* JSNativeStdFunction.h */,
</span><del>- A72700780DAC605600E548D7 /* JSNotAnObject.cpp */,
- A72700770DAC605600E548D7 /* JSNotAnObject.h */,
</del><span class="cx"> BC22A3980E16E14800AF21C8 /* JSObject.cpp */,
</span><span class="cx"> BC22A3990E16E14800AF21C8 /* JSObject.h */,
</span><span class="cx"> 0F93275E1C21EF7F00CF6564 /* JSObjectInlines.h */,
</span><span class="lines">@@ -9087,7 +9082,6 @@
</span><span class="cx"> E39DA4A61B7E8B7C0084F33A /* JSModuleRecord.cpp in Sources */,
</span><span class="cx"> 0FB387921BFD31A100E3AB1E /* FTLCompile.cpp in Sources */,
</span><span class="cx"> E33E8D1C1B9013C300346B52 /* JSNativeStdFunction.cpp in Sources */,
</span><del>- A72700900DAC6BBC00E548D7 /* JSNotAnObject.cpp in Sources */,
</del><span class="cx"> 147F39D4107EC37600427A48 /* JSObject.cpp in Sources */,
</span><span class="cx"> 1482B7E40A43076000517CFC /* JSObjectRef.cpp in Sources */,
</span><span class="cx"> A7F993600FD7325100A0B2D0 /* JSONObject.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorScriptCallStackFactorycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -149,6 +149,7 @@
</span><span class="cx"> // Fallback to getting at least the line and sourceURL from the exception object if it has values and the exceptionStack doesn't.
</span><span class="cx"> if (exception->value().isObject()) {
</span><span class="cx"> JSObject* exceptionObject = exception->value().toObject(exec);
</span><ins>+ ASSERT(exceptionObject);
</ins><span class="cx"> int lineNumber;
</span><span class="cx"> int columnNumber;
</span><span class="cx"> String exceptionSourceURL;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -48,7 +48,6 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><span class="cx"> #include "JSModuleEnvironment.h"
</span><del>-#include "JSNotAnObject.h"
</del><span class="cx"> #include "JSStackInlines.h"
</span><span class="cx"> #include "JSString.h"
</span><span class="cx"> #include "JSWithScope.h"
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -1765,6 +1765,8 @@
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><span class="cx"> JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
</span><ins>+ if (!baseObj)
+ JSValue::encode(JSValue());
</ins><span class="cx"> bool couldDelete = baseObj->methodTable(vm)->deleteProperty(baseObj, exec, *identifier);
</span><span class="cx"> JSValue result = jsBoolean(couldDelete);
</span><span class="cx"> if (!couldDelete && exec->codeBlock()->isStrictMode())
</span><span class="lines">@@ -1805,7 +1807,10 @@
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><del>- return JSValue::encode(JSValue::decode(value).toObject(exec));
</del><ins>+ JSObject* obj = JSValue::decode(value).toObject(exec);
+ if (!obj)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(obj);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> char* JIT_OPERATION operationSwitchCharWithUnknownKeyType(ExecState* exec, EncodedJSValue encodedKey, size_t tableIndex)
</span><span class="lines">@@ -2042,6 +2047,8 @@
</span><span class="cx"> return JSValue::encode(jsBoolean(false));
</span><span class="cx">
</span><span class="cx"> JSObject* base = baseValue.toObject(exec);
</span><ins>+ if (!base)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> return JSValue::encode(jsBoolean(base->hasPropertyGeneric(exec, asString(propertyName)->toIdentifier(exec), PropertySlot::InternalMethodType::GetOwnProperty)));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -681,6 +681,7 @@
</span><span class="cx"> LLINT_BEGIN();
</span><span class="cx"> CodeBlock* codeBlock = exec->codeBlock();
</span><span class="cx"> JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
</span><ins>+ LLINT_CHECK_EXCEPTION();
</ins><span class="cx"> bool couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
</span><span class="cx"> LLINT_CHECK_EXCEPTION();
</span><span class="cx"> if (!couldDelete && codeBlock->isStrictMode())
</span><span class="lines">@@ -798,7 +799,8 @@
</span><span class="cx"> LLINT_BEGIN();
</span><span class="cx"> JSValue baseValue = LLINT_OP_C(2).jsValue();
</span><span class="cx"> JSObject* baseObject = baseValue.toObject(exec);
</span><del>-
</del><ins>+ LLINT_CHECK_EXCEPTION();
+
</ins><span class="cx"> JSValue subscript = LLINT_OP_C(3).jsValue();
</span><span class="cx">
</span><span class="cx"> bool couldDelete;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -562,6 +562,8 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObject)
+ return JSValue::encode(JSValue());
</ins><span class="cx">
</span><span class="cx"> StringRecursionChecker checker(exec, thisObject);
</span><span class="cx"> if (JSValue earlyReturnValue = checker.earlyReturnValue())
</span><span class="lines">@@ -584,6 +586,8 @@
</span><span class="cx"> JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
</span><span class="cx"> unsigned argCount = exec->argumentCount();
</span><span class="cx"> JSValue curArg = thisValue.toObject(exec);
</span><ins>+ if (!curArg)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> Checked<unsigned, RecordOverflow> finalArraySize = 0;
</span><span class="cx">
</span><span class="cx"> // We need to do species construction before geting the rest of the elements.
</span><span class="lines">@@ -630,6 +634,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> curArg = thisValue.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
</ins><span class="cx"> unsigned n = 0;
</span><span class="cx"> for (unsigned i = 0; ; ++i) {
</span><span class="cx"> if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
</span><span class="lines">@@ -665,6 +670,8 @@
</span><span class="cx"> return JSValue::encode(asArray(thisValue)->pop(exec));
</span><span class="cx">
</span><span class="cx"> JSObject* thisObj = thisValue.toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -697,6 +704,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSObject* thisObj = thisValue.toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -722,6 +731,8 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObject)
+ return JSValue::encode(JSValue());
</ins><span class="cx">
</span><span class="cx"> unsigned length = getLength(exec, thisObject);
</span><span class="cx"> if (exec->hadException())
</span><span class="lines">@@ -795,6 +806,8 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -817,6 +830,8 @@
</span><span class="cx"> {
</span><span class="cx"> // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -859,6 +874,8 @@
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx">
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -950,6 +967,8 @@
</span><span class="cx"> // 15.4.4.13
</span><span class="cx">
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -974,6 +993,8 @@
</span><span class="cx"> {
</span><span class="cx"> // 15.4.4.14
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="lines">@@ -997,6 +1018,8 @@
</span><span class="cx"> {
</span><span class="cx"> // 15.4.4.15
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><span class="cx"> if (!length)
</span><span class="cx"> return JSValue::encode(jsNumber(-1));
</span><span class="lines">@@ -1032,18 +1055,24 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncValues(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateValue, thisObj));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncEntries(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKeyValue, thisObj));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncKeys(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx"> return JSValue::encode(JSArrayIterator::create(exec, exec->callee()->globalObject()->arrayIteratorStructure(), ArrayIterateKey, thisObj));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -549,6 +549,7 @@
</span><span class="cx"> BEGIN();
</span><span class="cx"> JSValue baseValue = OP_C(2).jsValue();
</span><span class="cx"> JSObject* baseObject = baseValue.toObject(exec);
</span><ins>+ CHECK_EXCEPTION();
</ins><span class="cx">
</span><span class="cx"> JSValue subscript = OP_C(3).jsValue();
</span><span class="cx">
</span><span class="lines">@@ -606,6 +607,7 @@
</span><span class="cx"> {
</span><span class="cx"> BEGIN();
</span><span class="cx"> JSObject* base = OP(2).jsValue().toObject(exec);
</span><ins>+ CHECK_EXCEPTION();
</ins><span class="cx"> JSValue property = OP(3).jsValue();
</span><span class="cx"> pc[4].u.arrayProfile->observeStructure(base->structure(vm));
</span><span class="cx"> ASSERT(property.isUInt32());
</span><span class="lines">@@ -616,6 +618,7 @@
</span><span class="cx"> {
</span><span class="cx"> BEGIN();
</span><span class="cx"> JSObject* base = OP(2).jsValue().toObject(exec);
</span><ins>+ CHECK_EXCEPTION();
</ins><span class="cx"> JSValue property = OP(3).jsValue();
</span><span class="cx"> ASSERT(property.isString());
</span><span class="cx"> JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(OP(4).jsValue().asCell());
</span><span class="lines">@@ -628,6 +631,7 @@
</span><span class="cx"> {
</span><span class="cx"> BEGIN();
</span><span class="cx"> JSObject* base = OP(2).jsValue().toObject(exec);
</span><ins>+ CHECK_EXCEPTION();
</ins><span class="cx"> JSValue property = OP(3).jsValue();
</span><span class="cx"> bool result;
</span><span class="cx"> if (property.isString())
</span><span class="lines">@@ -656,6 +660,7 @@
</span><span class="cx"> RETURN(JSPropertyNameEnumerator::create(vm));
</span><span class="cx">
</span><span class="cx"> JSObject* base = baseValue.toObject(exec);
</span><ins>+ CHECK_EXCEPTION();
</ins><span class="cx">
</span><span class="cx"> RETURN(propertyNameEnumerator(exec, base));
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExceptionHelperscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -34,7 +34,6 @@
</span><span class="cx"> #include "ErrorHandlingScope.h"
</span><span class="cx"> #include "Exception.h"
</span><span class="cx"> #include "JSGlobalObjectFunctions.h"
</span><del>-#include "JSNotAnObject.h"
</del><span class="cx"> #include "Interpreter.h"
</span><span class="cx"> #include "Nodes.h"
</span><span class="cx"> #include "JSCInlines.h"
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> #include "JSCJSValueInlines.h"
</span><span class="cx"> #include "JSFunction.h"
</span><span class="cx"> #include "JSGlobalObject.h"
</span><del>-#include "JSNotAnObject.h"
</del><span class="cx"> #include "NumberObject.h"
</span><span class="cx"> #include "StructureInlines.h"
</span><span class="cx"> #include <wtf/MathExtras.h>
</span><span class="lines">@@ -90,7 +89,7 @@
</span><span class="cx"> ASSERT(isUndefinedOrNull());
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> vm.throwException(exec, createNotAnObjectError(exec, *this));
</span><del>- return JSNotAnObject::create(vm);
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue JSValue::toThisSlowCase(ExecState* exec, ECMAMode ecmaMode) const
</span><span class="lines">@@ -125,7 +124,7 @@
</span><span class="cx"> ASSERT(isUndefinedOrNull());
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> vm.throwException(exec, createNotAnObjectError(exec, *this));
</span><del>- return JSNotAnObject::create(vm);
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // ECMA 8.7.2
</span><span class="lines">@@ -140,6 +139,8 @@
</span><span class="cx">
</span><span class="cx"> // Check if there are any setters or getters in the prototype chain
</span><span class="cx"> JSObject* obj = synthesizePrototype(exec);
</span><ins>+ if (UNLIKELY(!obj))
+ return;
</ins><span class="cx"> JSValue prototype;
</span><span class="cx"> if (propertyName != exec->propertyNames().underscoreProto) {
</span><span class="cx"> for (; !obj->structure()->hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
</span><span class="lines">@@ -198,8 +199,13 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (synthesizePrototype(exec)->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow))
</del><ins>+ JSObject* prototype = synthesizePrototype(exec);
+ if (UNLIKELY(!prototype)) {
+ ASSERT(exec->hadException());
</ins><span class="cx"> return;
</span><ins>+ }
+ if (prototype->attemptToInterceptPutByIndexOnHoleForPrototype(exec, *this, propertyName, value, shouldThrow))
+ return;
</ins><span class="cx">
</span><span class="cx"> if (shouldThrow)
</span><span class="cx"> throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValueInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -767,6 +767,8 @@
</span><span class="cx"> if (isString() && asString(*this)->getStringPropertySlot(exec, propertyName, slot))
</span><span class="cx"> return true;
</span><span class="cx"> object = synthesizePrototype(exec);
</span><ins>+ if (UNLIKELY(!object))
+ return false;
</ins><span class="cx"> } else
</span><span class="cx"> object = asObject(asCell());
</span><span class="cx">
</span><span class="lines">@@ -788,6 +790,8 @@
</span><span class="cx"> if (isString() && asString(*this)->getStringPropertySlot(exec, propertyName, slot))
</span><span class="cx"> return slot.getValue(exec, propertyName);
</span><span class="cx"> object = synthesizePrototype(exec);
</span><ins>+ if (UNLIKELY(!object))
+ return JSValue();
</ins><span class="cx"> } else
</span><span class="cx"> object = asObject(asCell());
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -39,7 +39,6 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "JSFunctionInlines.h"
</span><span class="cx"> #include "JSGlobalObject.h"
</span><del>-#include "JSNotAnObject.h"
</del><span class="cx"> #include "Interpreter.h"
</span><span class="cx"> #include "ObjectConstructor.h"
</span><span class="cx"> #include "ObjectPrototype.h"
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectFunctionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -821,8 +821,12 @@
</span><span class="cx">
</span><span class="cx"> JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
</span><span class="cx">
</span><del>- if (!thisObject)
- return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
</del><ins>+ if (!thisObject) {
+ JSObject* prototype = exec->thisValue().synthesizePrototype(exec);
+ if (UNLIKELY(!prototype))
+ return JSValue::encode(JSValue());
+ return JSValue::encode(prototype);
+ }
</ins><span class="cx">
</span><span class="cx"> GlobalFuncProtoGetterFunctor functor(exec, thisObject);
</span><span class="cx"> // This can throw but it's just unneeded extra work to check for it. The return
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSNotAnObjectcpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSNotAnObject.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSNotAnObject.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/JSNotAnObject.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -1,88 +0,0 @@
</span><del>-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Apple Inc. ("Apple") nor the names of
- * its contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-
-#include "config.h"
-#include "JSNotAnObject.h"
-
-#include "JSCInlines.h"
-
-namespace JSC {
-
-STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSNotAnObject);
-
-const ClassInfo JSNotAnObject::s_info = { "Object", &Base::s_info, 0, CREATE_METHOD_TABLE(JSNotAnObject) };
-
-// JSValue methods
-JSValue JSNotAnObject::defaultValue(const JSObject*, ExecState* exec, PreferredPrimitiveType)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return jsNumber(0);
-}
-
-// JSObject methods
-bool JSNotAnObject::getOwnPropertySlot(JSObject*, ExecState* exec, PropertyName, PropertySlot&)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-bool JSNotAnObject::getOwnPropertySlotByIndex(JSObject*, ExecState* exec, unsigned, PropertySlot&)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-void JSNotAnObject::put(JSCell*, ExecState* exec, PropertyName , JSValue, PutPropertySlot&)
-{
- ASSERT_UNUSED(exec, exec->hadException());
-}
-
-void JSNotAnObject::putByIndex(JSCell*, ExecState* exec, unsigned, JSValue, bool)
-{
- ASSERT_UNUSED(exec, exec->hadException());
-}
-
-bool JSNotAnObject::deleteProperty(JSCell*, ExecState* exec, PropertyName)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-bool JSNotAnObject::deletePropertyByIndex(JSCell*, ExecState* exec, unsigned)
-{
- ASSERT_UNUSED(exec, exec->hadException());
- return false;
-}
-
-void JSNotAnObject::getOwnPropertyNames(JSObject*, ExecState* exec, PropertyNameArray&, EnumerationMode)
-{
- ASSERT_UNUSED(exec, exec->hadException());
-}
-
-} // namespace JSC
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSNotAnObjecth"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSNotAnObject.h (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSNotAnObject.h 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/JSNotAnObject.h 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -1,83 +0,0 @@
</span><del>-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Apple Inc. ("Apple") nor the names of
- * its contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef JSNotAnObject_h
-#define JSNotAnObject_h
-
-#include "JSObject.h"
-
-namespace JSC {
-
-// This unholy class is used to allow us to avoid multiple exception checks
-// in certain SquirrelFish bytecodes -- effectively it just silently consumes
-// any operations performed on the result of a failed toObject call.
-class JSNotAnObject final : public JSNonFinalObject {
-private:
- explicit JSNotAnObject(VM& vm)
- : JSNonFinalObject(vm, vm.notAnObjectStructure.get())
- {
- }
-
-public:
- typedef JSNonFinalObject Base;
- static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
-
- static JSNotAnObject* create(VM& vm)
- {
- JSNotAnObject* object = new (NotNull, allocateCell<JSNotAnObject>(vm.heap)) JSNotAnObject(vm);
- object->finishCreation(vm);
- return object;
- }
-
- static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
- {
- return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
- }
-
- DECLARE_INFO;
-
-private:
- // JSValue methods
- static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
-
- // JSObject methods
- static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
- static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
-
- static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
- static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
-
- static bool deleteProperty(JSCell*, ExecState*, PropertyName);
- static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
-
- static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
-};
-
-} // namespace JSC
-
-#endif // JSNotAnObject_h
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -451,7 +451,11 @@
</span><span class="cx"> {
</span><span class="cx"> if (!exec->argument(0).isObject())
</span><span class="cx"> return throwVMError(exec, createTypeError(exec, ASCIILiteral("Properties can only be defined on Objects.")));
</span><del>- return JSValue::encode(defineProperties(exec, asObject(exec->argument(0)), exec->argument(1).toObject(exec)));
</del><ins>+ JSObject* targetObj = asObject(exec->argument(0));
+ JSObject* props = exec->argument(1).toObject(exec);
+ if (!props)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(defineProperties(exec, targetObj, props));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL objectConstructorCreate(ExecState* exec)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -81,7 +81,10 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL objectProtoFuncValueOf(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
</span><del>- return JSValue::encode(thisValue.toObject(exec));
</del><ins>+ JSObject* valueObj = thisValue.toObject(exec);
+ if (!valueObj)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(valueObj);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL objectProtoFuncHasOwnProperty(ExecState* exec)
</span><span class="lines">@@ -90,13 +93,18 @@
</span><span class="cx"> auto propertyName = exec->argument(0).toPropertyKey(exec);
</span><span class="cx"> if (exec->hadException())
</span><span class="cx"> return JSValue::encode(jsUndefined());
</span><del>- return JSValue::encode(jsBoolean(thisValue.toObject(exec)->hasOwnProperty(exec, propertyName)));
</del><ins>+ JSObject* thisObject = thisValue.toObject(exec);
+ if (!thisObject)
+ return JSValue::encode(JSValue());
+ return JSValue::encode(jsBoolean(thisObject->hasOwnProperty(exec, propertyName)));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL objectProtoFuncIsPrototypeOf(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
</span><span class="cx"> JSObject* thisObj = thisValue.toObject(exec);
</span><ins>+ if (!thisObj)
+ return JSValue::encode(JSValue());
</ins><span class="cx">
</span><span class="cx"> if (!exec->argument(0).isObject())
</span><span class="cx"> return JSValue::encode(jsBoolean(false));
</span><span class="lines">@@ -265,6 +273,8 @@
</span><span class="cx"> if (thisValue.isUndefinedOrNull())
</span><span class="cx"> return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString());
</span><span class="cx"> JSObject* thisObject = thisValue.toObject(exec);
</span><ins>+ if (!thisObject)
+ return JSValue::encode(JSValue());
</ins><span class="cx">
</span><span class="cx"> JSString* result = thisObject->structure(vm)->objectToStringValue();
</span><span class="cx"> if (!result) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -65,7 +65,6 @@
</span><span class="cx"> #include "JSInternalPromiseDeferred.h"
</span><span class="cx"> #include "JSLexicalEnvironment.h"
</span><span class="cx"> #include "JSLock.h"
</span><del>-#include "JSNotAnObject.h"
</del><span class="cx"> #include "JSPromiseDeferred.h"
</span><span class="cx"> #include "JSPropertyNameEnumerator.h"
</span><span class="cx"> #include "JSTemplateRegistryKey.h"
</span><span class="lines">@@ -215,7 +214,6 @@
</span><span class="cx"> structureRareDataStructure.set(*this, StructureRareData::createStructure(*this, 0, jsNull()));
</span><span class="cx"> terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
</span><span class="cx"> stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
</span><del>- notAnObjectStructure.set(*this, JSNotAnObject::createStructure(*this, 0, jsNull()));
</del><span class="cx"> propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
</span><span class="cx"> getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));
</span><span class="cx"> customGetterSetterStructure.set(*this, CustomGetterSetter::createStructure(*this, 0, jsNull()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/JavaScriptCore/runtime/VM.h 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -284,7 +284,6 @@
</span><span class="cx"> Strong<Structure> structureRareDataStructure;
</span><span class="cx"> Strong<Structure> terminatedExecutionErrorStructure;
</span><span class="cx"> Strong<Structure> stringStructure;
</span><del>- Strong<Structure> notAnObjectStructure;
</del><span class="cx"> Strong<Structure> propertyNameIteratorStructure;
</span><span class="cx"> Strong<Structure> propertyNameEnumeratorStructure;
</span><span class="cx"> Strong<Structure> getterSetterStructure;
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/ChangeLog 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -1,3 +1,36 @@
</span><ins>+2016-03-08 Mark Lam <mark.lam@apple.com>
+
+ synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
+ https://bugs.webkit.org/show_bug.cgi?id=155169
+
+ Reviewed by Geoffrey Garen.
+
+ No new tests because this issue is covered by existing tests when the fix for
+ https://bugs.webkit.org/show_bug.cgi?id=154865 lands. That patch is waiting for
+ this patch to land first so as to not introduce test failures.
+
+ * Modules/plugins/QuickTimePluginReplacement.mm:
+ (WebCore::QuickTimePluginReplacement::installReplacement):
+ * bindings/js/JSDeviceMotionEventCustom.cpp:
+ (WebCore::readAccelerationArgument):
+ (WebCore::readRotationRateArgument):
+ * bindings/js/JSGeolocationCustom.cpp:
+ (WebCore::createPositionOptions):
+ * bindings/js/JSHTMLCanvasElementCustom.cpp:
+ (WebCore::get3DContextAttributes):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateConstructorDefinition):
+ * bindings/scripts/test/JS/JSTestEventConstructor.cpp:
+ (WebCore::JSTestEventConstructorConstructor::construct):
+ * contentextensions/ContentExtensionParser.cpp:
+ (WebCore::ContentExtensions::getTypeFlags):
+ * html/HTMLMediaElement.cpp:
+ (WebCore::setPageScaleFactorProperty):
+ (WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
+ (WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):
+
</ins><span class="cx"> 2016-03-08 Oliver Hunt <oliver@apple.com>
</span><span class="cx">
</span><span class="cx"> Start moving to separated writable and executable mappings in the JIT
</span></span></pre></div>
<a id="trunkSourceWebCoreModulespluginsQuickTimePluginReplacementmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -190,6 +190,7 @@
</span><span class="cx"> if (replacementFunction.isUndefinedOrNull())
</span><span class="cx"> return false;
</span><span class="cx"> JSC::JSObject* replacementObject = replacementFunction.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
</ins><span class="cx"> JSC::CallData callData;
</span><span class="cx"> JSC::CallType callType = replacementObject->methodTable()->getCallData(replacementObject, callData);
</span><span class="cx"> if (callType == JSC::CallType::None)
</span><span class="lines">@@ -220,8 +221,10 @@
</span><span class="cx">
</span><span class="cx"> // Get the scripting interface.
</span><span class="cx"> value = replacement.get(exec, JSC::Identifier::fromString(exec, "scriptObject"));
</span><del>- if (!exec->hadException() && !value.isUndefinedOrNull())
</del><ins>+ if (!exec->hadException() && !value.isUndefinedOrNull()) {
</ins><span class="cx"> m_scriptObject = value.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
+ }
</ins><span class="cx">
</span><span class="cx"> if (!m_scriptObject) {
</span><span class="cx"> LOG(Plugins, "%p - Failed to find script object created by QuickTime plugin replacement.", this);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDeviceMotionEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -47,6 +47,7 @@
</span><span class="cx">
</span><span class="cx"> // Given the above test, this will always yield an object.
</span><span class="cx"> JSObject* object = value.toObject(&state);
</span><ins>+ ASSERT(!state.hadException());
</ins><span class="cx">
</span><span class="cx"> JSValue xValue = object->get(&state, Identifier::fromString(&state, "x"));
</span><span class="cx"> if (state.hadException())
</span><span class="lines">@@ -85,6 +86,7 @@
</span><span class="cx">
</span><span class="cx"> // Given the above test, this will always yield an object.
</span><span class="cx"> JSObject* object = value.toObject(&state);
</span><ins>+ ASSERT(!state.hadException());
</ins><span class="cx">
</span><span class="cx"> JSValue alphaValue = object->get(&state, Identifier::fromString(&state, "alpha"));
</span><span class="cx"> if (state.hadException())
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSGeolocationCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/js/JSGeolocationCustom.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -82,6 +82,7 @@
</span><span class="cx">
</span><span class="cx"> // Given the above test, this will always yield an object.
</span><span class="cx"> JSObject* object = value.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
</ins><span class="cx">
</span><span class="cx"> // Create the dictionary wrapper from the initializer object.
</span><span class="cx"> JSDictionary dictionary(exec, object);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSHTMLCanvasElementCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/js/JSHTMLCanvasElementCustom.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -51,6 +51,7 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> JSObject* initializerObject = initializerValue.toObject(&state);
</span><ins>+ ASSERT(!state.hadException());
</ins><span class="cx"> JSDictionary dictionary(&state, initializerObject);
</span><span class="cx">
</span><span class="cx"> GraphicsContext3D::Attributes graphicsAttrs;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -4820,6 +4820,7 @@
</span><span class="cx"> if (!initializerValue.isUndefinedOrNull()) {
</span><span class="cx"> // Given the above test, this will always yield an object.
</span><span class="cx"> JSObject* initializerObject = initializerValue.toObject(state);
</span><ins>+ ASSERT(!state->hadException());
</ins><span class="cx">
</span><span class="cx"> // Create the dictionary wrapper from the initializer object.
</span><span class="cx"> JSDictionary dictionary(state, initializerObject);
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestEventConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -88,6 +88,7 @@
</span><span class="cx"> if (!initializerValue.isUndefinedOrNull()) {
</span><span class="cx"> // Given the above test, this will always yield an object.
</span><span class="cx"> JSObject* initializerObject = initializerValue.toObject(state);
</span><ins>+ ASSERT(!state->hadException());
</ins><span class="cx">
</span><span class="cx"> // Create the dictionary wrapper from the initializer object.
</span><span class="cx"> JSDictionary dictionary(state, initializerObject);
</span></span></pre></div>
<a id="trunkSourceWebCorecontentextensionsContentExtensionParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -90,6 +90,7 @@
</span><span class="cx"> return { };
</span><span class="cx">
</span><span class="cx"> const JSObject* object = typeValue.toObject(&exec);
</span><ins>+ ASSERT(!exec.hadException());
</ins><span class="cx"> if (!isJSArray(object))
</span><span class="cx"> return ContentExtensionError::JSONInvalidTriggerFlagsArray;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLMediaElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -6309,6 +6309,8 @@
</span><span class="cx"> {
</span><span class="cx"> JSC::PutPropertySlot propertySlot(controllerValue);
</span><span class="cx"> JSC::JSObject* controllerObject = controllerValue.toObject(exec);
</span><ins>+ if (!controllerObject)
+ return;
</ins><span class="cx"> controllerObject->methodTable()->put(controllerObject, exec, JSC::Identifier::fromString(exec, "pageScaleFactor"), JSC::jsNumber(pageScaleFactor), propertySlot);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -6355,6 +6357,7 @@
</span><span class="cx"> argList.append(mediaControlsHostJSWrapper);
</span><span class="cx">
</span><span class="cx"> JSC::JSObject* function = functionValue.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
</ins><span class="cx"> JSC::CallData callData;
</span><span class="cx"> JSC::CallType callType = function->methodTable()->getCallData(function, callData);
</span><span class="cx"> if (callType == JSC::CallType::None)
</span><span class="lines">@@ -6368,6 +6371,7 @@
</span><span class="cx">
</span><span class="cx"> // Connect the Media, MediaControllerHost, and Controller so the GC knows about their relationship
</span><span class="cx"> JSC::JSObject* mediaJSWrapperObject = mediaJSWrapper.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
</ins><span class="cx"> JSC::Identifier controlsHost = JSC::Identifier::fromString(&exec->vm(), "controlsHost");
</span><span class="cx">
</span><span class="cx"> ASSERT(!mediaJSWrapperObject->hasProperty(exec, controlsHost));
</span><span class="lines">@@ -6449,6 +6453,7 @@
</span><span class="cx"> return "";
</span><span class="cx">
</span><span class="cx"> JSC::JSObject* function = functionValue.toObject(exec);
</span><ins>+ ASSERT(!exec->hadException());
</ins><span class="cx"> JSC::CallData callData;
</span><span class="cx"> JSC::CallType callType = function->methodTable()->getCallData(function, callData);
</span><span class="cx"> JSC::MarkedArgumentBuffer argList;
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLPlugInImageElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp (197793 => 197794)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-03-08 20:53:11 UTC (rev 197793)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-03-08 20:57:25 UTC (rev 197794)
</span><span class="lines">@@ -404,6 +404,11 @@
</span><span class="cx">
</span><span class="cx"> // It is expected the JS file provides a createOverlay(shadowRoot, title, subtitle) function.
</span><span class="cx"> JSC::JSObject* overlay = globalObject->get(exec, JSC::Identifier::fromString(exec, "createOverlay")).toObject(exec);
</span><ins>+ if (!overlay) {
+ ASSERT(exec->hadException());
+ exec->clearException();
+ return;
+ }
</ins><span class="cx"> JSC::CallData callData;
</span><span class="cx"> JSC::CallType callType = overlay->methodTable()->getCallData(overlay, callData);
</span><span class="cx"> if (callType == JSC::CallType::None)
</span></span></pre>
</div>
</div>
</body>
</html>