<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[201787] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/201787">201787</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2016-06-07 19:53:32 -0700 (Tue, 07 Jun 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Need an exception check after constructEmptyArray().
https://bugs.webkit.org/show_bug.cgi?id=158411
Reviewed by Saam Barati.
Source/JavaScriptCore:
Added an exception check after each call to constructEmptyArray().
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::getInternalProperties):
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::functionsOnStack):
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::addSequenceProperties):
* profiler/ProfilerCompilation.cpp:
(JSC::Profiler::Compilation::toJS):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::toJS):
* profiler/ProfilerOSRExitSite.cpp:
(JSC::Profiler::OSRExitSite::toJS):
* profiler/ProfilerOriginStack.cpp:
(JSC::Profiler::OriginStack::toJS):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
* runtime/ModuleLoaderObject.cpp:
(JSC::moduleLoaderObjectRequestedModules):
* runtime/ObjectConstructor.cpp:
(JSC::ownPropertyKeys):
* runtime/RegExpObject.cpp:
(JSC::collectMatches):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncSplitFast):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncSplitFast):
* runtime/TemplateRegistry.cpp:
(JSC::TemplateRegistry::getTemplateObject):
* tests/stress/regress-158411.js: Added.
Source/WebCore:
A stress test for this was added in JavaScriptCore.
* bindings/js/IDBBindingUtilities.cpp:
(WebCore::toJS):
* bindings/js/JSCommandLineAPIHostCustom.cpp:
(WebCore::getJSListenerFunctions):
* bindings/js/JSCryptoKeySerializationJWK.cpp:
(WebCore::buildJSONForRSAComponents):
(WebCore::addBoolToJSON):
(WebCore::addUsagesToJSON):
(WebCore::JSCryptoKeySerializationJWK::serialize):
* bindings/js/JSDOMBinding.h:
(WebCore::toJS):
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorJSInjectedScriptHostcpp">trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterShadowChickencpp">trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerBytecodeSequencecpp">trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerCompilationcpp">trunk/Source/JavaScriptCore/profiler/ProfilerCompilation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerDatabasecpp">trunk/Source/JavaScriptCore/profiler/ProfilerDatabase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerOSRExitSitecpp">trunk/Source/JavaScriptCore/profiler/ProfilerOSRExitSite.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerOriginStackcpp">trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypecpp">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeLiteralParsercpp">trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeModuleLoaderObjectcpp">trunk/Source/JavaScriptCore/runtime/ModuleLoaderObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectConstructorcpp">trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpObjectcpp">trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpPrototypecpp">trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStringPrototypecpp">trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTemplateRegistrycpp">trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsIDBBindingUtilitiescpp">trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSCommandLineAPIHostCustomcpp">trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSCryptoKeySerializationJWKcpp">trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMBindingh">trunk/Source/WebCore/bindings/js/JSDOMBinding.h</a></li>
<li><a href="#trunkSourceWebCorebindingsjsSerializedScriptValuecpp">trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstressregress158411js">trunk/Source/JavaScriptCore/tests/stress/regress-158411.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -1,3 +1,50 @@
</span><ins>+2016-06-07 Mark Lam <mark.lam@apple.com>
+
+ Need an exception check after constructEmptyArray().
+ https://bugs.webkit.org/show_bug.cgi?id=158411
+
+ Reviewed by Saam Barati.
+
+ Added an exception check after each call to constructEmptyArray().
+
+ * inspector/JSInjectedScriptHost.cpp:
+ (Inspector::JSInjectedScriptHost::getInternalProperties):
+ (Inspector::JSInjectedScriptHost::weakMapEntries):
+ (Inspector::JSInjectedScriptHost::weakSetEntries):
+ (Inspector::JSInjectedScriptHost::iteratorEntries):
+ * interpreter/ShadowChicken.cpp:
+ (JSC::ShadowChicken::functionsOnStack):
+ * profiler/ProfilerBytecodeSequence.cpp:
+ (JSC::Profiler::BytecodeSequence::addSequenceProperties):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::toJS):
+ * profiler/ProfilerOSRExitSite.cpp:
+ (JSC::Profiler::OSRExitSite::toJS):
+ * profiler/ProfilerOriginStack.cpp:
+ (JSC::Profiler::OriginStack::toJS):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ * runtime/LiteralParser.cpp:
+ (JSC::LiteralParser<CharType>::parse):
+ * runtime/ModuleLoaderObject.cpp:
+ (JSC::moduleLoaderObjectRequestedModules):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::ownPropertyKeys):
+ * runtime/RegExpObject.cpp:
+ (JSC::collectMatches):
+ * runtime/RegExpPrototype.cpp:
+ (JSC::regExpProtoFuncSplitFast):
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncSplitFast):
+ * runtime/TemplateRegistry.cpp:
+ (JSC::TemplateRegistry::getTemplateObject):
+
+ * tests/stress/regress-158411.js: Added.
+
</ins><span class="cx"> 2016-06-07 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Implement Air::allocateStack() in ES6 to see how much of a bad idea that is
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorJSInjectedScriptHostcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -257,11 +257,14 @@
</span><span class="cx"> if (exec->argumentCount() < 1)
</span><span class="cx"> return jsUndefined();
</span><span class="cx">
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSValue value = exec->uncheckedArgument(0);
</span><span class="cx">
</span><span class="cx"> if (JSPromise* promise = jsDynamicCast<JSPromise*>(value)) {
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> switch (promise->status(exec->vm())) {
</span><span class="cx"> case JSPromise::Status::Pending:
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("status"), jsNontrivialString(exec, ASCIILiteral("pending"))));
</span><span class="lines">@@ -282,6 +285,8 @@
</span><span class="cx"> if (JSBoundFunction* boundFunction = jsDynamicCast<JSBoundFunction*>(value)) {
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "targetFunction", boundFunction->targetFunction()));
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundThis", boundFunction->boundThis()));
</span><span class="cx"> if (boundFunction->boundArgs())
</span><span class="lines">@@ -292,6 +297,8 @@
</span><span class="cx"> if (ProxyObject* proxy = jsDynamicCast<ProxyObject*>(value)) {
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 2);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("target"), proxy->target()));
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, ASCIILiteral("handler"), proxy->handler()));
</span><span class="cx"> return array;
</span><span class="lines">@@ -304,6 +311,8 @@
</span><span class="cx">
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 2);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", iteratedValue));
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", kind));
</span><span class="cx"> return array;
</span><span class="lines">@@ -325,6 +334,8 @@
</span><span class="cx"> }
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 2);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "array", arrayIterator->iteratedValue(exec)));
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
</span><span class="cx"> return array;
</span><span class="lines">@@ -345,6 +356,8 @@
</span><span class="cx"> }
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 2);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "map", mapIterator->iteratedValue()));
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
</span><span class="cx"> return array;
</span><span class="lines">@@ -365,6 +378,8 @@
</span><span class="cx"> }
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 2);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "set", setIterator->iteratedValue()));
</span><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "kind", jsNontrivialString(exec, kind)));
</span><span class="cx"> return array;
</span><span class="lines">@@ -373,6 +388,8 @@
</span><span class="cx"> if (JSStringIterator* stringIterator = jsDynamicCast<JSStringIterator*>(value)) {
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 1);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "string", stringIterator->iteratedValue(exec)));
</span><span class="cx"> return array;
</span><span class="cx"> }
</span><span class="lines">@@ -380,6 +397,8 @@
</span><span class="cx"> if (JSPropertyNameIterator* propertyNameIterator = jsDynamicCast<JSPropertyNameIterator*>(value)) {
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr, 1);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> array->putDirectIndex(exec, index++, constructInternalProperty(exec, "object", propertyNameIterator->iteratedValue()));
</span><span class="cx"> return array;
</span><span class="cx"> }
</span><span class="lines">@@ -405,6 +424,7 @@
</span><span class="cx"> if (exec->argumentCount() < 1)
</span><span class="cx"> return jsUndefined();
</span><span class="cx">
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSValue value = exec->uncheckedArgument(0);
</span><span class="cx"> JSWeakMap* weakMap = jsDynamicCast<JSWeakMap*>(value);
</span><span class="cx"> if (!weakMap)
</span><span class="lines">@@ -419,6 +439,8 @@
</span><span class="cx"> numberToFetch = static_cast<unsigned>(fetchDouble);
</span><span class="cx">
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (auto it = weakMap->weakMapData()->begin(); it != weakMap->weakMapData()->end(); ++it) {
</span><span class="cx"> JSObject* entry = constructEmptyObject(exec);
</span><span class="cx"> entry->putDirect(exec->vm(), Identifier::fromString(exec, "key"), it->key);
</span><span class="lines">@@ -449,6 +471,7 @@
</span><span class="cx"> if (exec->argumentCount() < 1)
</span><span class="cx"> return jsUndefined();
</span><span class="cx">
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSValue value = exec->uncheckedArgument(0);
</span><span class="cx"> JSWeakSet* weakSet = jsDynamicCast<JSWeakSet*>(value);
</span><span class="cx"> if (!weakSet)
</span><span class="lines">@@ -463,6 +486,8 @@
</span><span class="cx"> numberToFetch = static_cast<unsigned>(fetchDouble);
</span><span class="cx">
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (auto it = weakSet->weakMapData()->begin(); it != weakSet->weakMapData()->end(); ++it) {
</span><span class="cx"> JSObject* entry = constructEmptyObject(exec);
</span><span class="cx"> entry->putDirect(exec->vm(), Identifier::fromString(exec, "value"), it->key);
</span><span class="lines">@@ -501,7 +526,7 @@
</span><span class="cx"> iterator = stringIterator->clone(exec);
</span><span class="cx"> else if (JSPropertyNameIterator* propertyNameIterator = jsDynamicCast<JSPropertyNameIterator*>(value)) {
</span><span class="cx"> iterator = propertyNameIterator->clone(exec);
</span><del>- if (UNLIKELY(exec->hadException()))
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue();
</span><span class="cx"> } else {
</span><span class="cx"> if (JSObject* iteratorObject = jsDynamicCast<JSObject*>(value)) {
</span><span class="lines">@@ -521,16 +546,18 @@
</span><span class="cx"> numberToFetch = static_cast<unsigned>(fetchDouble);
</span><span class="cx">
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < numberToFetch; ++i) {
</span><span class="cx"> JSValue next = iteratorStep(exec, iterator);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> break;
</span><span class="cx"> if (next.isFalse())
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> JSValue nextValue = iteratorValue(exec, next);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> JSObject* entry = constructEmptyObject(exec);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterShadowChickencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -435,10 +435,13 @@
</span><span class="cx">
</span><span class="cx"> JSArray* ShadowChicken::functionsOnStack(ExecState* exec)
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSArray* result = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> iterate(
</span><del>- exec->vm(), exec,
</del><ins>+ vm, exec,
</ins><span class="cx"> [&] (const Frame& frame) -> bool {
</span><span class="cx"> result->push(exec, frame.callee);
</span><span class="cx"> return true;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerBytecodeSequencecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -77,15 +77,20 @@
</span><span class="cx">
</span><span class="cx"> void BytecodeSequence::addSequenceProperties(ExecState* exec, JSObject* result) const
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSArray* header = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return;
</ins><span class="cx"> for (unsigned i = 0; i < m_header.size(); ++i)
</span><span class="cx"> header->putDirectIndex(exec, i, jsString(exec, String::fromUTF8(m_header[i])));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().header, header);
</del><ins>+ result->putDirect(vm, exec->propertyNames().header, header);
</ins><span class="cx">
</span><span class="cx"> JSArray* sequence = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return;
</ins><span class="cx"> for (unsigned i = 0; i < m_sequence.size(); ++i)
</span><span class="cx"> sequence->putDirectIndex(exec, i, m_sequence[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().bytecode, sequence);
</del><ins>+ result->putDirect(vm, exec->propertyNames().bytecode, sequence);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::Profiler
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerCompilationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerCompilation.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerCompilation.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerCompilation.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -114,48 +114,60 @@
</span><span class="cx">
</span><span class="cx"> JSValue Compilation::toJS(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSObject* result = constructEmptyObject(exec);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
+ result->putDirect(vm, exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
+ result->putDirect(vm, exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
</ins><span class="cx">
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().bytecodesID, jsNumber(m_bytecodes->id()));
- result->putDirect(exec->vm(), exec->propertyNames().compilationKind, jsString(exec, String::fromUTF8(toCString(m_kind))));
-
</del><span class="cx"> JSArray* profiledBytecodes = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_profiledBytecodes.size(); ++i)
</span><span class="cx"> profiledBytecodes->putDirectIndex(exec, i, m_profiledBytecodes[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().profiledBytecodes, profiledBytecodes);
</del><ins>+ result->putDirect(vm, exec->propertyNames().profiledBytecodes, profiledBytecodes);
</ins><span class="cx">
</span><span class="cx"> JSArray* descriptions = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_descriptions.size(); ++i)
</span><span class="cx"> descriptions->putDirectIndex(exec, i, m_descriptions[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().descriptions, descriptions);
</del><ins>+ result->putDirect(vm, exec->propertyNames().descriptions, descriptions);
</ins><span class="cx">
</span><span class="cx"> JSArray* counters = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (auto it = m_counters.begin(), end = m_counters.end(); it != end; ++it) {
</span><span class="cx"> JSObject* counterEntry = constructEmptyObject(exec);
</span><del>- counterEntry->putDirect(exec->vm(), exec->propertyNames().origin, it->key.toJS(exec));
- counterEntry->putDirect(exec->vm(), exec->propertyNames().executionCount, jsNumber(it->value->count()));
</del><ins>+ counterEntry->putDirect(vm, exec->propertyNames().origin, it->key.toJS(exec));
+ counterEntry->putDirect(vm, exec->propertyNames().executionCount, jsNumber(it->value->count()));
</ins><span class="cx"> counters->push(exec, counterEntry);
</span><span class="cx"> }
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().counters, counters);
</del><ins>+ result->putDirect(vm, exec->propertyNames().counters, counters);
</ins><span class="cx">
</span><span class="cx"> JSArray* exitSites = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_osrExitSites.size(); ++i)
</span><span class="cx"> exitSites->putDirectIndex(exec, i, m_osrExitSites[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().osrExitSites, exitSites);
</del><ins>+ result->putDirect(vm, exec->propertyNames().osrExitSites, exitSites);
</ins><span class="cx">
</span><span class="cx"> JSArray* exits = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_osrExits.size(); ++i)
</span><span class="cx"> exits->putDirectIndex(exec, i, m_osrExits[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().osrExits, exits);
</del><ins>+ result->putDirect(vm, exec->propertyNames().osrExits, exits);
</ins><span class="cx">
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
- result->putDirect(exec->vm(), exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
- result->putDirect(exec->vm(), exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
- result->putDirect(exec->vm(), exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
</del><ins>+ result->putDirect(vm, exec->propertyNames().numInlinedGetByIds, jsNumber(m_numInlinedGetByIds));
+ result->putDirect(vm, exec->propertyNames().numInlinedPutByIds, jsNumber(m_numInlinedPutByIds));
+ result->putDirect(vm, exec->propertyNames().numInlinedCalls, jsNumber(m_numInlinedCalls));
+ result->putDirect(vm, exec->propertyNames().jettisonReason, jsString(exec, String::fromUTF8(toCString(m_jettisonReason))));
</ins><span class="cx"> if (!m_additionalJettisonReason.isNull())
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
</del><ins>+ result->putDirect(vm, exec->propertyNames().additionalJettisonReason, jsString(exec, String::fromUTF8(m_additionalJettisonReason)));
</ins><span class="cx">
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().uid, m_uid.toJS(exec));
</del><ins>+ result->putDirect(vm, exec->propertyNames().uid, m_uid.toJS(exec));
</ins><span class="cx">
</span><span class="cx"> return result;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerDatabasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerDatabase.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerDatabase.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerDatabase.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -99,22 +99,29 @@
</span><span class="cx">
</span><span class="cx"> JSValue Database::toJS(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSObject* result = constructEmptyObject(exec);
</span><span class="cx">
</span><span class="cx"> JSArray* bytecodes = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_bytecodes.size(); ++i)
</span><span class="cx"> bytecodes->putDirectIndex(exec, i, m_bytecodes[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().bytecodes, bytecodes);
</del><ins>+ result->putDirect(vm, exec->propertyNames().bytecodes, bytecodes);
</ins><span class="cx">
</span><span class="cx"> JSArray* compilations = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_compilations.size(); ++i)
</span><span class="cx"> compilations->putDirectIndex(exec, i, m_compilations[i]->toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().compilations, compilations);
</del><ins>+ result->putDirect(vm, exec->propertyNames().compilations, compilations);
</ins><span class="cx">
</span><span class="cx"> JSArray* events = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_events.size(); ++i)
</span><span class="cx"> events->putDirectIndex(exec, i, m_events[i].toJS(exec));
</span><del>- result->putDirect(exec->vm(), exec->propertyNames().events, events);
</del><ins>+ result->putDirect(vm, exec->propertyNames().events, events);
</ins><span class="cx">
</span><span class="cx"> return result;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerOSRExitSitecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerOSRExitSite.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerOSRExitSite.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerOSRExitSite.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -36,7 +36,10 @@
</span><span class="cx">
</span><span class="cx"> JSValue OSRExitSite::toJS(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSArray* result = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (unsigned i = 0; i < m_codeAddresses.size(); ++i)
</span><span class="cx"> result->putDirectIndex(exec, i, jsString(exec, toString(RawPointer(m_codeAddresses[i]))));
</span><span class="cx"> return result;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerOriginStackcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -100,7 +100,10 @@
</span><span class="cx">
</span><span class="cx"> JSValue OriginStack::toJS(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSArray* result = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < m_stack.size(); ++i)
</span><span class="cx"> result->putDirectIndex(exec, i, m_stack[i].toJS(exec));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -590,6 +590,7 @@
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
</span><span class="cx"> unsigned argCount = exec->argumentCount();
</span><span class="cx"> JSValue curArg = thisValue.toObject(exec);
</span><span class="lines">@@ -610,7 +611,7 @@
</span><span class="cx"> if (currentArray) {
</span><span class="cx"> // Can't use JSArray::length here because this might be a RuntimeArray!
</span><span class="cx"> finalArraySize += getLength(exec, currentArray);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> } else
</span><span class="cx"> ++finalArraySize;
</span><span class="lines">@@ -636,22 +637,22 @@
</span><span class="cx"> else {
</span><span class="cx"> // We add the newTarget because the compiler gets confused between 0 being a number and a pointer.
</span><span class="cx"> result = constructEmptyArray(exec, nullptr, 0, JSValue());
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> curArg = thisValue.toObject(exec);
</span><del>- ASSERT(!exec->hadException());
</del><ins>+ ASSERT(!vm.exception());
</ins><span class="cx"> unsigned n = 0;
</span><span class="cx"> for (unsigned i = 0; ; ++i) {
</span><span class="cx"> if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
</span><span class="cx"> // Can't use JSArray::length here because this might be a RuntimeArray!
</span><span class="cx"> unsigned length = getLength(exec, currentArray);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> for (unsigned k = 0; k < length; ++k) {
</span><span class="cx"> JSValue v = getProperty(exec, currentArray, k);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> if (v)
</span><span class="cx"> result->putDirectIndex(exec, n, v);
</span><span class="lines">@@ -846,11 +847,12 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSObject* thisObj = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
</span><span class="cx"> if (!thisObj)
</span><span class="cx"> return JSValue::encode(JSValue());
</span><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx">
</span><span class="cx"> unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
</span><span class="lines">@@ -869,13 +871,16 @@
</span><span class="cx"> JSObject* result;
</span><span class="cx"> if (speciesResult.first == SpeciesConstructResult::CreatedObject)
</span><span class="cx"> result = speciesResult.second;
</span><del>- else
</del><ins>+ else {
</ins><span class="cx"> result = constructEmptyArray(exec, nullptr, end - begin);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
+ }
</ins><span class="cx">
</span><span class="cx"> unsigned n = 0;
</span><span class="cx"> for (unsigned k = begin; k < end; k++, n++) {
</span><span class="cx"> JSValue v = getProperty(exec, thisObj, k);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> if (v)
</span><span class="cx"> result->putDirectIndex(exec, n, v);
</span><span class="lines">@@ -894,7 +899,7 @@
</span><span class="cx"> if (!thisObj)
</span><span class="cx"> return JSValue::encode(JSValue());
</span><span class="cx"> unsigned length = getLength(exec, thisObj);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx">
</span><span class="cx"> if (!exec->argumentCount()) {
</span><span class="lines">@@ -905,8 +910,11 @@
</span><span class="cx"> JSObject* result;
</span><span class="cx"> if (speciesResult.first == SpeciesConstructResult::CreatedObject)
</span><span class="cx"> result = speciesResult.second;
</span><del>- else
</del><ins>+ else {
</ins><span class="cx"> result = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
+ }
</ins><span class="cx">
</span><span class="cx"> setLength(exec, result, 0);
</span><span class="cx"> return JSValue::encode(result);
</span><span class="lines">@@ -939,10 +947,10 @@
</span><span class="cx">
</span><span class="cx"> for (unsigned k = 0; k < deleteCount; ++k) {
</span><span class="cx"> JSValue v = getProperty(exec, thisObj, k + begin);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> result->putByIndexInline(exec, k, v, true);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> }
</span><span class="cx"> } else {
</span><span class="lines">@@ -952,7 +960,7 @@
</span><span class="cx">
</span><span class="cx"> for (unsigned k = 0; k < deleteCount; ++k) {
</span><span class="cx"> JSValue v = getProperty(exec, thisObj, k + begin);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> result->initializeIndex(vm, k, v);
</span><span class="cx"> }
</span><span class="lines">@@ -962,16 +970,16 @@
</span><span class="cx"> unsigned additionalArgs = std::max<int>(exec->argumentCount() - 2, 0);
</span><span class="cx"> if (additionalArgs < deleteCount) {
</span><span class="cx"> shift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> } else if (additionalArgs > deleteCount) {
</span><span class="cx"> unshift<JSArray::ShiftCountForSplice>(exec, thisObj, begin, deleteCount, additionalArgs, length);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> }
</span><span class="cx"> for (unsigned k = 0; k < additionalArgs; ++k) {
</span><span class="cx"> thisObj->putByIndexInline(exec, k + begin, exec->uncheckedArgument(k + 2), true);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeLiteralParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -583,6 +583,8 @@
</span><span class="cx"> startParseArray:
</span><span class="cx"> case StartParseArray: {
</span><span class="cx"> JSArray* array = constructEmptyArray(m_exec, 0);
</span><ins>+ if (UNLIKELY(m_exec->hadException()))
+ return JSValue();
</ins><span class="cx"> objectStack.append(array);
</span><span class="cx"> }
</span><span class="cx"> doParseArrayStartExpression:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeModuleLoaderObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ModuleLoaderObject.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ModuleLoaderObject.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/ModuleLoaderObject.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -297,6 +297,8 @@
</span><span class="cx"> return JSValue::encode(constructEmptyArray(exec, nullptr));
</span><span class="cx">
</span><span class="cx"> JSArray* result = constructEmptyArray(exec, nullptr, moduleRecord->requestedModules().size());
</span><ins>+ if (UNLIKELY(exec->hadException()))
+ JSValue::encode(jsUndefined());
</ins><span class="cx"> size_t i = 0;
</span><span class="cx"> for (auto& key : moduleRecord->requestedModules())
</span><span class="cx"> result->putDirectIndex(exec, i++, jsString(exec, key.get()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -703,12 +703,15 @@
</span><span class="cx"> // FIXME: Use the enumeration cache.
</span><span class="cx"> JSArray* ownPropertyKeys(ExecState* exec, JSObject* object, PropertyNameMode propertyNameMode, DontEnumPropertiesMode dontEnumPropertiesMode)
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> PropertyNameArray properties(exec, propertyNameMode);
</span><del>- object->methodTable(exec->vm())->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
- if (exec->hadException())
</del><ins>+ object->methodTable(vm)->getOwnPropertyNames(object, exec, properties, EnumerationMode(dontEnumPropertiesMode));
+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return nullptr;
</span><span class="cx">
</span><span class="cx"> JSArray* keys = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> switch (propertyNameMode) {
</span><span class="cx"> case PropertyNameMode::Strings: {
</span><span class="lines">@@ -727,7 +730,7 @@
</span><span class="cx"> const auto& identifier = properties[i];
</span><span class="cx"> ASSERT(identifier.isSymbol());
</span><span class="cx"> if (!exec->propertyNames().isPrivateName(identifier))
</span><del>- keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
</del><ins>+ keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -746,7 +749,7 @@
</span><span class="cx">
</span><span class="cx"> // To ensure the order defined in the spec (9.1.12), we append symbols at the last elements of keys.
</span><span class="cx"> for (const auto& identifier : propertySymbols)
</span><del>- keys->push(exec, Symbol::create(exec->vm(), static_cast<SymbolImpl&>(*identifier.impl())));
</del><ins>+ keys->push(exec, Symbol::create(vm, static_cast<SymbolImpl&>(*identifier.impl())));
</ins><span class="cx">
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -179,6 +179,8 @@
</span><span class="cx"> static unsigned maxSizeForDirectPath = 100000;
</span><span class="cx">
</span><span class="cx"> JSArray* array = constructEmptyArray(exec, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx">
</span><span class="cx"> auto iterate = [&] () {
</span><span class="cx"> size_t end = result.end;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -563,6 +563,8 @@
</span><span class="cx"> // 11. Let A be ArrayCreate(0).
</span><span class="cx"> // 12. Let lengthA be 0.
</span><span class="cx"> JSArray* result = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
</ins><span class="cx"> unsigned resultLength = 0;
</span><span class="cx">
</span><span class="cx"> // 13. If limit is undefined, let lim be 2^32-1; else let lim be ? ToUint32(limit).
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStringPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -1082,19 +1082,22 @@
</span><span class="cx"> // ES 21.1.3.17 String.prototype.split(separator, limit)
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL stringProtoFuncSplitFast(ExecState* exec)
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSValue thisValue = exec->thisValue();
</span><span class="cx"> ASSERT(checkObjectCoercible(thisValue));
</span><span class="cx">
</span><span class="cx"> // 3. Let S be the result of calling ToString, giving it the this value as its argument.
</span><span class="cx"> // 7. Let s be the number of characters in S.
</span><span class="cx"> String input = thisValue.toString(exec)->value(exec);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx"> ASSERT(!input.isNull());
</span><span class="cx">
</span><span class="cx"> // 4. Let A be a new array created as if by the expression new Array()
</span><span class="cx"> // where Array is the standard built-in constructor with that name.
</span><span class="cx"> JSArray* result = constructEmptyArray(exec, 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return JSValue::encode(jsUndefined());
</ins><span class="cx">
</span><span class="cx"> // 5. Let lengthA be 0.
</span><span class="cx"> unsigned resultLength = 0;
</span><span class="lines">@@ -1110,7 +1113,7 @@
</span><span class="cx"> // otherwise let R = ToString(separator).
</span><span class="cx"> JSValue separatorValue = exec->uncheckedArgument(0);
</span><span class="cx"> String separator = separatorValue.toString(exec)->value(exec);
</span><del>- if (exec->hadException())
</del><ins>+ if (UNLIKELY(vm.exception()))
</ins><span class="cx"> return JSValue::encode(jsUndefined());
</span><span class="cx">
</span><span class="cx"> // 10. If lim == 0, return A.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTemplateRegistrycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -45,9 +45,14 @@
</span><span class="cx"> if (cached)
</span><span class="cx"> return cached;
</span><span class="cx">
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> unsigned count = templateKey.cookedStrings().size();
</span><span class="cx"> JSArray* templateObject = constructEmptyArray(exec, nullptr, count);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return nullptr;
</ins><span class="cx"> JSArray* rawObject = constructEmptyArray(exec, nullptr, count);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> for (unsigned index = 0; index < count; ++index) {
</span><span class="cx"> templateObject->putDirectIndex(exec, index, jsString(exec, templateKey.cookedStrings()[index]), ReadOnly | DontDelete, PutDirectIndexLikePutDirect);
</span><span class="lines">@@ -57,7 +62,7 @@
</span><span class="cx"> objectConstructorFreeze(exec, rawObject);
</span><span class="cx"> ASSERT(!exec->hadException());
</span><span class="cx">
</span><del>- templateObject->putDirect(exec->vm(), exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
</del><ins>+ templateObject->putDirect(vm, exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
</ins><span class="cx">
</span><span class="cx"> objectConstructorFreeze(exec, templateObject);
</span><span class="cx"> ASSERT(!exec->hadException());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressregress158411js"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/regress-158411.js (0 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/regress-158411.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/regress-158411.js 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+//@ defaultNoSamplingProfilerRun
+
+// Should not crash.
+try {
+ function foo(){
+ [].slice({});
+ foo();
+ }
+ foo();
+} catch (e) {
+}
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/ChangeLog 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2016-06-07 Mark Lam <mark.lam@apple.com>
+
+ Need an exception check after constructEmptyArray().
+ https://bugs.webkit.org/show_bug.cgi?id=158411
+
+ Reviewed by Saam Barati.
+
+ A stress test for this was added in JavaScriptCore.
+
+ * bindings/js/IDBBindingUtilities.cpp:
+ (WebCore::toJS):
+ * bindings/js/JSCommandLineAPIHostCustom.cpp:
+ (WebCore::getJSListenerFunctions):
+ * bindings/js/JSCryptoKeySerializationJWK.cpp:
+ (WebCore::buildJSONForRSAComponents):
+ (WebCore::addBoolToJSON):
+ (WebCore::addUsagesToJSON):
+ (WebCore::JSCryptoKeySerializationJWK::serialize):
+ * bindings/js/JSDOMBinding.h:
+ (WebCore::toJS):
+ * bindings/js/SerializedScriptValue.cpp:
+ (WebCore::CloneDeserializer::deserialize):
+
</ins><span class="cx"> 2016-06-07 Antoine Quint <graouts@apple.com>
</span><span class="cx">
</span><span class="cx"> The backdrop-filter property does not respect border-radius
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsIDBBindingUtilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -88,16 +88,19 @@
</span><span class="cx"> return jsUndefined();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- Locker<JSLock> locker(state.vm().apiLock());
</del><ins>+ VM& vm = state.vm();
+ Locker<JSLock> locker(vm.apiLock());
</ins><span class="cx">
</span><span class="cx"> switch (key->type()) {
</span><span class="cx"> case KeyType::Array: {
</span><span class="cx"> auto& inArray = key->array();
</span><span class="cx"> unsigned size = inArray.size();
</span><del>- auto& outArray = *constructEmptyArray(&state, 0, &globalObject, size);
</del><ins>+ auto outArray = constructEmptyArray(&state, 0, &globalObject, size);
+ if (UNLIKELY(vm.exception()))
+ return jsUndefined();
</ins><span class="cx"> for (size_t i = 0; i < size; ++i)
</span><del>- outArray.putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
- return &outArray;
</del><ins>+ outArray->putDirectIndex(&state, i, toJS(state, globalObject, inArray.at(i).get()));
+ return outArray;
</ins><span class="cx"> }
</span><span class="cx"> case KeyType::String:
</span><span class="cx"> return jsStringWithCache(&state, key->string());
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSCommandLineAPIHostCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/JSCommandLineAPIHostCustom.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -67,7 +67,10 @@
</span><span class="cx">
</span><span class="cx"> static JSArray* getJSListenerFunctions(ExecState& state, Document* document, const EventListenerInfo& listenerInfo)
</span><span class="cx"> {
</span><ins>+ VM& vm = state.vm();
</ins><span class="cx"> JSArray* result = constructEmptyArray(&state, nullptr);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return nullptr;
</ins><span class="cx"> size_t handlersCount = listenerInfo.eventListenerVector.size();
</span><span class="cx"> for (size_t i = 0, outputIndex = 0; i < handlersCount; ++i) {
</span><span class="cx"> const JSEventListener* jsListener = JSEventListener::cast(listenerInfo.eventListenerVector[i].listener.get());
</span><span class="lines">@@ -85,8 +88,8 @@
</span><span class="cx"> continue;
</span><span class="cx">
</span><span class="cx"> JSObject* listenerEntry = constructEmptyObject(&state);
</span><del>- listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "listener"), function);
- listenerEntry->putDirect(state.vm(), Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
</del><ins>+ listenerEntry->putDirect(vm, Identifier::fromString(&state, "listener"), function);
+ listenerEntry->putDirect(vm, Identifier::fromString(&state, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
</ins><span class="cx"> result->putDirectIndex(&state, outputIndex++, JSValue(listenerEntry));
</span><span class="cx"> }
</span><span class="cx"> return result;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSCryptoKeySerializationJWKcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/JSCryptoKeySerializationJWK.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -534,7 +534,10 @@
</span><span class="cx"> if (data.otherPrimeInfos().isEmpty())
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSArray* oth = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), data.otherPrimeInfos().size());
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return;
</ins><span class="cx"> for (size_t i = 0, size = data.otherPrimeInfos().size(); i < size; ++i) {
</span><span class="cx"> JSObject* jsPrimeInfo = constructEmptyObject(exec);
</span><span class="cx"> addToJSON(exec, jsPrimeInfo, "r", base64URLEncode(data.otherPrimeInfos()[i].primeFactor));
</span><span class="lines">@@ -542,7 +545,7 @@
</span><span class="cx"> addToJSON(exec, jsPrimeInfo, "t", base64URLEncode(data.otherPrimeInfos()[i].factorCRTCoefficient));
</span><span class="cx"> oth->putDirectIndex(exec, i, jsPrimeInfo);
</span><span class="cx"> }
</span><del>- result->putDirect(exec->vm(), Identifier::fromString(exec, "oth"), oth);
</del><ins>+ result->putDirect(vm, Identifier::fromString(exec, "oth"), oth);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static void addBoolToJSON(ExecState* exec, JSObject* json, const char* key, bool value)
</span><span class="lines">@@ -655,7 +658,10 @@
</span><span class="cx">
</span><span class="cx"> static void addUsagesToJSON(ExecState* exec, JSObject* json, CryptoKeyUsage usages)
</span><span class="cx"> {
</span><ins>+ VM& vm = exec->vm();
</ins><span class="cx"> JSArray* keyOps = constructEmptyArray(exec, 0, exec->lexicalGlobalObject(), 0);
</span><ins>+ if (UNLIKELY(vm.exception()))
+ return;
</ins><span class="cx">
</span><span class="cx"> unsigned index = 0;
</span><span class="cx"> if (usages & CryptoKeyUsageSign)
</span><span class="lines">@@ -675,7 +681,7 @@
</span><span class="cx"> if (usages & CryptoKeyUsageDeriveBits)
</span><span class="cx"> keyOps->putDirectIndex(exec, index++, jsNontrivialString(exec, ASCIILiteral("deriveBits")));
</span><span class="cx">
</span><del>- json->putDirect(exec->vm(), Identifier::fromString(exec, "key_ops"), keyOps);
</del><ins>+ json->putDirect(vm, Identifier::fromString(exec, "key_ops"), keyOps);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> String JSCryptoKeySerializationJWK::serialize(ExecState* exec, const CryptoKey& key)
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMBindingh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMBinding.h (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMBinding.h 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/JSDOMBinding.h 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -540,6 +540,8 @@
</span><span class="cx"> template<typename T> inline JSC::JSValue toJS(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, const Vector<T>& vector)
</span><span class="cx"> {
</span><span class="cx"> JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
</span><ins>+ if (UNLIKELY(exec->hadException()))
+ return JSC::jsUndefined();
</ins><span class="cx"> for (size_t i = 0; i < vector.size(); ++i)
</span><span class="cx"> array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i]));
</span><span class="cx"> return array;
</span><span class="lines">@@ -548,6 +550,8 @@
</span><span class="cx"> template<typename T> inline JSC::JSValue toJS(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, const Vector<RefPtr<T>>& vector)
</span><span class="cx"> {
</span><span class="cx"> JSC::JSArray* array = constructEmptyArray(exec, nullptr, vector.size());
</span><ins>+ if (UNLIKELY(exec->hadException()))
+ return JSC::jsUndefined();
</ins><span class="cx"> for (size_t i = 0; i < vector.size(); ++i)
</span><span class="cx"> array->putDirectIndex(exec, i, toJS(exec, globalObject, vector[i].get()));
</span><span class="cx"> return array;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsSerializedScriptValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (201786 => 201787)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-06-08 02:47:44 UTC (rev 201786)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2016-06-08 02:53:32 UTC (rev 201787)
</span><span class="lines">@@ -2463,6 +2463,8 @@
</span><span class="cx"> goto error;
</span><span class="cx"> }
</span><span class="cx"> JSArray* outArray = constructEmptyArray(m_exec, 0, m_globalObject, length);
</span><ins>+ if (UNLIKELY(m_exec->hadException()))
+ goto error;
</ins><span class="cx"> m_gcBuffer.append(outArray);
</span><span class="cx"> outputObjectStack.append(outArray);
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>