Attachment 370440 Details for Bug 198138 – Patch

[patch] Patch

bug-198138-20190522225747.patch (text/plain), 3.29 KB, created by Tadeu Zagallo on 2019-05-22 13:57:49 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Tadeu Zagallo

Created: 2019-05-22 13:57:49 PDT

Size: 3.29 KB

patch

obsolete

>Subversion Revision: 245643
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 82012057c9168d5fa9f5ae854d04e223e55f75f0..83b6ac25c1fcb94edf6d20cb27f8740c78665c24 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,17 @@
>+2019-05-21  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        createListFromArrayLike should throw if value is not an object
>+        https://bugs.webkit.org/show_bug.cgi?id=198138
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        According to the spec[1], createListFromArrayLike should throw a type error if the array-like value
>+        passed in is not an object.
>+        [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-createlistfromarraylike
>+
>+        * runtime/JSObjectInlines.h:
>+        (JSC::createListFromArrayLike):
>+
> 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
> 
>         Don't clear PropertyNameArray in Proxy code
>diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h
>index 83dc23dc8cbb5b981e8afc9147899316b7ccc31c..46929d3c353d196f6e73dd43a9ff87262ec45dcd 100644
>--- a/Source/JavaScriptCore/runtime/JSObjectInlines.h
>+++ b/Source/JavaScriptCore/runtime/JSObjectInlines.h
>@@ -37,6 +37,11 @@ void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTyp
> {
>     VM& vm = exec->vm();
>     auto scope = DECLARE_THROW_SCOPE(vm);
>+
>+    if (!arrayLikeValue.isObject()) {
>+        throwTypeError(exec, scope, errorMessage);
>+        return;
>+    }
>     
>     Vector<JSValue> result;
>     JSValue lengthProperty = arrayLikeValue.get(exec, vm.propertyNames->length);
>diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
>index 3ed2abf84ebe76c10c6105401f3c9e85058a7482..831527df92adf9a7089af05d0ccc513afa4b3283 100644
>--- a/JSTests/ChangeLog
>+++ b/JSTests/ChangeLog
>@@ -1,3 +1,14 @@
>+2019-05-21  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        createListFromArrayLike should throw if value is not an object
>+        https://bugs.webkit.org/show_bug.cgi?id=198138
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * stress/create-list-from-array-like-not-object.js: Added.
>+        (testValid):
>+        (testInvalid):
>+
> 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
> 
>         Don't clear PropertyNameArray in Proxy code
>diff --git a/JSTests/stress/create-list-from-array-like-not-object.js b/JSTests/stress/create-list-from-array-like-not-object.js
>new file mode 100644
>index 0000000000000000000000000000000000000000..e327cb93f19223e241ff96f2c394781e49e59cc4
>--- /dev/null
>+++ b/JSTests/stress/create-list-from-array-like-not-object.js
>@@ -0,0 +1,26 @@
>+function testValid(value) {
>+    const foo = {x: 0};
>+    foo.__proto__ = new Proxy({}, { ownKeys() { return value; } });
>+    for (const x in foo) { }
>+}
>+
>+testValid({});
>+testValid([]);
>+testValid(["x", Symbol("y")]);
>+testValid({ length: 1, 0: 'x' });
>+
>+function testInvalid(value) {
>+    try {
>+        testValid(value);
>+        throw new Error('should have thrown');
>+    } catch (err) {
>+        if (err.message !== "Proxy handler's 'ownKeys' method must return an array-like object containing only Strings and Symbols")
>+            throw new Error("Expected createListFromArrayLike error");
>+    }
>+}
>+
>+testInvalid(true);
>+testInvalid(false);
>+testInvalid(null);
>+testInvalid(0);
>+testInvalid([{}]);

Actions: View | Formatted Diff | Diff

Attachments on bug 198138: 370440 | 370448 | 370492