[webkit-changes] [91290] trunk

Tue, 19 Jul 2011 13:03:27 -0700

Title: [91290] trunk
Revision
91290
Author
[email protected]
Date
2011-07-19 13:03:13 -0700 (Tue, 19 Jul 2011)

Log Message

Source/_javascript_Core: [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
https://bugs.webkit.org/show_bug.cgi?id=63918

Patch by Mark Hahnenberg <[email protected]> on 2011-07-19
Reviewed by Darin Adler.

When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
method due to additional string copying within several of the constructors when dealing with 
UStrings.  This has been added to the UString version of the appendStringInConstruct method 
within the JSString class.

* runtime/JSString.h:
(JSC::RopeBuilder::JSString):
(JSC::RopeBuilder::appendStringInConstruct):

LayoutTests: Chromium rebaselines r91269 and r91277.

Patch by Ryosuke Niwa <[email protected]> on 2011-07-19

* platform/chromium-linux/svg/W3C-SVG-1.1-SE/styling-pres-02-f-expected.png: Added.
* platform/chromium-mac/fast/table/align-right-within-left-aligned-div-expected.png: Added.
* platform/chromium-mac/fast/table/align-right-within-left-aligned-div-expected.txt: Added.
* platform/chromium-mac/svg/W3C-SVG-1.1-SE/styling-pres-02-f-expected.png: Added.
* platform/chromium-win/svg/W3C-SVG-1.1-SE/styling-pres-02-f-expected.png: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (91289 => 91290)


--- trunk/LayoutTests/ChangeLog	2011-07-19 19:55:02 UTC (rev 91289)
+++ trunk/LayoutTests/ChangeLog	2011-07-19 20:03:13 UTC (rev 91290)
@@ -31,6 +31,21 @@
 
 2011-07-19  Gavin Barraclough  <[email protected]>
 
+        https://bugs.webkit.org/show_bug.cgi?id=64679
+        Fix bugs in Array.prototype this handling.
+
+        Reviewed by Oliver Hunt.
+
+        * fast/js/array-prototype-properties-expected.txt: Added.
+        * fast/js/array-prototype-properties.html: Added.
+        * fast/js/script-tests/array-prototype-properties.js: Added.
+            - Added layout test for array prototype functions with undefined as this value.
+        * ietestcenter/_javascript_/15.4.4.14-5-28-expected.txt:
+        * ietestcenter/_javascript_/15.4.4.15-5-28-expected.txt:
+            - These tests now pass.
+
+2011-07-19  Gavin Barraclough  <[email protected]>
+
         https://bugs.webkit.org/show_bug.cgi?id=64677
         Fix bugs in String.prototype this handling.

Added: trunk/LayoutTests/fast/js/array-prototype-properties-expected.txt (0 => 91290)


--- trunk/LayoutTests/fast/js/array-prototype-properties-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/array-prototype-properties-expected.txt	2011-07-19 20:03:13 UTC (rev 91290)
@@ -0,0 +1,30 @@
+This is a test case for bug 64679.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Array.prototype.toString.call(undefined) threw exception TypeError: Type error.
+PASS Array.prototype.toLocaleString.call(undefined) threw exception TypeError: Type error.
+PASS Array.prototype.concat.call(undefined, []) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.concat.call(undefined, [])').
+PASS Array.prototype.join.call(undefined, []) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.join.call(undefined, [])').
+PASS Array.prototype.pop.call(undefined) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.pop.call(undefined)').
+PASS Array.prototype.push.call(undefined, {}) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.push.call(undefined, {})').
+PASS Array.prototype.reverse.call(undefined) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.reverse.call(undefined)').
+PASS Array.prototype.shift.call(undefined) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.shift.call(undefined)').
+PASS Array.prototype.slice.call(undefined, 0, 1) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.slice.call(undefined, 0, 1)').
+PASS Array.prototype.sort.call(undefined) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.sort.call(undefined)').
+PASS Array.prototype.splice.call(undefined, 0, 1) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.splice.call(undefined, 0, 1)').
+PASS Array.prototype.unshift.call(undefined, {}) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.unshift.call(undefined, {})').
+PASS Array.prototype.every.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.every.call(undefined, toString)').
+PASS Array.prototype.forEach.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.forEach.call(undefined, toString)').
+PASS Array.prototype.some.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.some.call(undefined, toString)').
+PASS Array.prototype.indexOf.call(undefined, 0) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.indexOf.call(undefined, 0)').
+PASS Array.prototype.indlastIndexOfexOf.call(undefined, 0) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.indlastIndexOfexOf.call').
+PASS Array.prototype.filter.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.filter.call(undefined, toString)').
+PASS Array.prototype.reduce.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.reduce.call(undefined, toString)').
+PASS Array.prototype.reduceRight.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.reduceRight.call(undefined, toString)').
+PASS Array.prototype.map.call(undefined, toString) threw exception TypeError: 'undefined' is not an object (evaluating 'Array.prototype.map.call(undefined, toString)').
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/array-prototype-properties.html (0 => 91290)


--- trunk/LayoutTests/fast/js/array-prototype-properties.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/array-prototype-properties.html	2011-07-19 20:03:13 UTC (rev 91290)
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/array-prototype-properties.js (0 => 91290)


--- trunk/LayoutTests/fast/js/script-tests/array-prototype-properties.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/array-prototype-properties.js	2011-07-19 20:03:13 UTC (rev 91290)
@@ -0,0 +1,28 @@
+description(
+'This is a test case for <a https://bugs.webkit.org/show_bug.cgi?id=64679">bug 64679</a>.'
+);
+
+// These calls pass undefined as this value, and as such should show in toObject.
+shouldThrow("Array.prototype.toString.call(undefined)");
+shouldThrow("Array.prototype.toLocaleString.call(undefined)");
+shouldThrow("Array.prototype.concat.call(undefined, [])");
+shouldThrow("Array.prototype.join.call(undefined, [])");
+shouldThrow("Array.prototype.pop.call(undefined)");
+shouldThrow("Array.prototype.push.call(undefined, {})");
+shouldThrow("Array.prototype.reverse.call(undefined)");
+shouldThrow("Array.prototype.shift.call(undefined)");
+shouldThrow("Array.prototype.slice.call(undefined, 0, 1)");
+shouldThrow("Array.prototype.sort.call(undefined)");
+shouldThrow("Array.prototype.splice.call(undefined, 0, 1)");
+shouldThrow("Array.prototype.unshift.call(undefined, {})");
+shouldThrow("Array.prototype.every.call(undefined, toString)");
+shouldThrow("Array.prototype.forEach.call(undefined, toString)");
+shouldThrow("Array.prototype.some.call(undefined, toString)");
+shouldThrow("Array.prototype.indexOf.call(undefined, 0)");
+shouldThrow("Array.prototype.indlastIndexOfexOf.call(undefined, 0)");
+shouldThrow("Array.prototype.filter.call(undefined, toString)");
+shouldThrow("Array.prototype.reduce.call(undefined, toString)");
+shouldThrow("Array.prototype.reduceRight.call(undefined, toString)");
+shouldThrow("Array.prototype.map.call(undefined, toString)");
+
+var successfullyParsed = true;

Modified: trunk/LayoutTests/ietestcenter/_javascript_/15.4.4.14-5-28-expected.txt (91289 => 91290)


--- trunk/LayoutTests/ietestcenter/_javascript_/15.4.4.14-5-28-expected.txt	2011-07-19 19:55:02 UTC (rev 91289)
+++ trunk/LayoutTests/ietestcenter/_javascript_/15.4.4.14-5-28-expected.txt	2011-07-19 20:03:13 UTC (rev 91290)
@@ -4,7 +4,7 @@
 
 
 PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/ietestcenter/_javascript_/15.4.4.15-5-28-expected.txt (91289 => 91290)


--- trunk/LayoutTests/ietestcenter/_javascript_/15.4.4.15-5-28-expected.txt	2011-07-19 19:55:02 UTC (rev 91289)
+++ trunk/LayoutTests/ietestcenter/_javascript_/15.4.4.15-5-28-expected.txt	2011-07-19 20:03:13 UTC (rev 91290)
@@ -4,7 +4,7 @@
 
 
 PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/Source/_javascript_Core/ChangeLog (91289 => 91290)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-19 19:55:02 UTC (rev 91289)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-19 20:03:13 UTC (rev 91290)
@@ -16,6 +16,35 @@
 
 2011-07-19  Gavin Barraclough  <[email protected]>
 
+        https://bugs.webkit.org/show_bug.cgi?id=64679
+        Fix bugs in Array.prototype this handling.
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncJoin):
+        (JSC::arrayProtoFuncConcat):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSort):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        (JSC::arrayProtoFuncFilter):
+        (JSC::arrayProtoFuncMap):
+        (JSC::arrayProtoFuncEvery):
+        (JSC::arrayProtoFuncForEach):
+        (JSC::arrayProtoFuncSome):
+        (JSC::arrayProtoFuncReduce):
+        (JSC::arrayProtoFuncReduceRight):
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+            - These methods should throw if this value is undefined.
+
+2011-07-19  Gavin Barraclough  <[email protected]>
+
         https://bugs.webkit.org/show_bug.cgi?id=64677
         Fix bugs in String.prototype this handling.

Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (91289 => 91290)


--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2011-07-19 19:55:02 UTC (rev 91289)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp	2011-07-19 20:03:13 UTC (rev 91290)
@@ -267,7 +267,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -337,7 +337,9 @@
     JSValue thisValue = exec->hostThisValue();
     JSArray* arr = constructEmptyArray(exec);
     unsigned n = 0;
-    JSValue curArg = thisValue.toThisObject(exec);
+    JSValue curArg = thisValue.toObject(exec);
+    if (exec->hadException())
+        return JSValue::encode(jsUndefined());
     size_t i = 0;
     size_t argCount = exec->argumentCount();
     while (1) {
@@ -369,7 +371,7 @@
     if (isJSArray(&exec->globalData(), thisValue))
         return JSValue::encode(asArray(thisValue)->pop());
 
-    JSObject* thisObj = thisValue.toThisObject(exec);
+    JSObject* thisObj = thisValue.toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -396,7 +398,7 @@
         return JSValue::encode(jsNumber(array->length()));
     }
 
-    JSObject* thisObj = thisValue.toThisObject(exec);
+    JSObject* thisObj = thisValue.toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -418,7 +420,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -444,13 +446,12 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
-    JSValue result;
-
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
 
+    JSValue result;
     if (length == 0) {
         putProperty(exec, thisObj, exec->propertyNames().length, jsNumber(length));
         result = jsUndefined();
@@ -475,16 +476,15 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec)
 {
     // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
+    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
+    if (exec->hadException())
+        return JSValue::encode(jsUndefined());
 
     // We return a new array
     JSArray* resObj = constructEmptyArray(exec);
     JSValue result = resObj;
 
-    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
-    if (exec->hadException())
-        return JSValue::encode(jsUndefined());
-
     unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
     unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);
 
@@ -499,7 +499,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncSort(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (!length || exec->hadException())
         return JSValue::encode(thisObj);
@@ -561,7 +561,7 @@
 {
     // 15.4.4.12
 
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -629,7 +629,7 @@
 {
     // 15.4.4.13
 
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -656,7 +656,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncFilter(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -715,7 +715,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncMap(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -777,7 +777,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -835,7 +835,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncForEach(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -885,7 +885,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -942,7 +942,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduce(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -1017,7 +1017,7 @@
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduceRight(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -1092,7 +1092,7 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncIndexOf(ExecState* exec)
 {
     // 15.4.4.14
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
@@ -1113,7 +1113,7 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncLastIndexOf(ExecState* exec)
 {
     // 15.4.4.15
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (!length)
         return JSValue::encode(jsNumber(-1));

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to