[webkit-changes] [205230] branches/safari-602-branch

Wed, 31 Aug 2016 00:20:20 -0700

Title: [205230] branches/safari-602-branch

Diff

Modified: branches/safari-602-branch/LayoutTests/ChangeLog (205229 => 205230)


--- branches/safari-602-branch/LayoutTests/ChangeLog	2016-08-31 07:20:03 UTC (rev 205229)
+++ branches/safari-602-branch/LayoutTests/ChangeLog	2016-08-31 07:20:09 UTC (rev 205230)
@@ -1,5 +1,22 @@
 2016-08-30  Babak Shafiei  <[email protected]>
 
+        Merge r203952. rdar://problem/27991571
+
+    2016-07-30  Mark Lam  <[email protected]>
+
+            Assertion failure while setting the length of an ArrayClass array.
+            https://bugs.webkit.org/show_bug.cgi?id=160381
+            <rdar://problem/27328703>
+
+            Reviewed by Filip Pizlo.
+
+            Test that RuntimeArrays will throw an error if we try to set its length.
+
+            * platform/mac/fast/dom/wrapper-classes-objc.html:
+            * platform/mac/fast/dom/wrapper-classes-objc-expected.txt:
+
+2016-08-30  Babak Shafiei  <[email protected]>
+
         Merge r203542. rdar://problem/27991570
 
     2016-07-21  John Wilander  <[email protected]>

Modified: branches/safari-602-branch/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc-expected.txt (205229 => 205230)


--- branches/safari-602-branch/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc-expected.txt	2016-08-31 07:20:03 UTC (rev 205229)
+++ branches/safari-602-branch/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc-expected.txt	2016-08-31 07:20:09 UTC (rev 205230)
@@ -191,4 +191,9 @@
 PASS typeof objCObjectOfClass('WebScriptObject') is 'object'
 PASS objCObjectOfClass('NSArray') instanceof Array is true
 PASS concatenateArray(objCArrayOfString()) is 'onetwothree'
+PASS let arr = objCArrayOfString(); arr.length is 3
+PASS let arr = objCArrayOfString(); arr.length = 0 threw exception RangeError: Range error.
+PASS let arr = objCArrayOfString(); arr.length = 5 threw exception RangeError: Range error.
+PASS let arr = objCArrayOfString(); arr.length = 0x40000000 threw exception RangeError: Range error.
+PASS let arr = objCArrayOfString(); try { arr.length = 0 } catch(e) { } arr.length is 3

Modified: branches/safari-602-branch/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc.html (205229 => 205230)


--- branches/safari-602-branch/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc.html	2016-08-31 07:20:03 UTC (rev 205229)
+++ branches/safari-602-branch/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc.html	2016-08-31 07:20:09 UTC (rev 205230)
@@ -290,6 +290,12 @@
 
     shouldBe("concatenateArray(objCArrayOfString())", "'onetwothree'");
 
+    shouldBe("let arr = objCArrayOfString(); arr.length", "3");
+    shouldThrow("let arr = objCArrayOfString(); arr.length = 0");
+    shouldThrow("let arr = objCArrayOfString(); arr.length = 5");
+    shouldThrow("let arr = objCArrayOfString(); arr.length = 0x40000000");
+    shouldBe("let arr = objCArrayOfString(); try { arr.length = 0 } catch(e) { } arr.length", "3");
+
     // Not yet tested:
 
     // CSSCharsetRule

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (205229 => 205230)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-08-31 07:20:03 UTC (rev 205229)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-08-31 07:20:09 UTC (rev 205230)
@@ -1,5 +1,39 @@
 2016-08-30  Babak Shafiei  <[email protected]>
 
+        Merge r203952. rdar://problem/27991571
+
+    2016-07-30  Mark Lam  <[email protected]>
+
+            Assertion failure while setting the length of an ArrayClass array.
+            https://bugs.webkit.org/show_bug.cgi?id=160381
+            <rdar://problem/27328703>
+
+            Reviewed by Filip Pizlo.
+
+            When setting large length values, we're currently treating ArrayClass as a
+            ContiguousIndexingType array.  This results in an assertion failure.  This is
+            now fixed.
+
+            There are currently only 2 places where we create arrays with indexing type
+            ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
+            takes care of ArrayPrototype.
+
+            RuntimeArray already checks for the setting of its length property, and will
+            throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
+            Instead, I added some test cases ensure that the check and throw behavior does
+            not change without notice.
+
+            * runtime/JSArray.cpp:
+            (JSC::JSArray::setLength):
+            * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
+            (toString):
+            (assertEqual):
+            * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
+            (toString):
+            (assertEqual):
+
+2016-08-30  Babak Shafiei  <[email protected]>
+
         Merge r203853. rdar://problem/27991580
 
     2016-07-28  Mark Lam  <[email protected]>

Modified: branches/safari-602-branch/Source/_javascript_Core/runtime/JSArray.cpp (205229 => 205230)


--- branches/safari-602-branch/Source/_javascript_Core/runtime/JSArray.cpp	2016-08-31 07:20:03 UTC (rev 205229)
+++ branches/safari-602-branch/Source/_javascript_Core/runtime/JSArray.cpp	2016-08-31 07:20:09 UTC (rev 205230)
@@ -441,7 +441,7 @@
         if (newLength >= MIN_SPARSE_ARRAY_INDEX) {
             return setLengthWithArrayStorage(
                 exec, newLength, throwException,
-                convertContiguousToArrayStorage(exec->vm()));
+                ensureArrayStorage(exec->vm()));
         }
         createInitialUndecided(exec->vm(), newLength);
         return true;

Added: branches/safari-602-branch/Source/_javascript_Core/tests/stress/array-setLength-on-ArrayClass-with-large-length.js (0 => 205230)


--- branches/safari-602-branch/Source/_javascript_Core/tests/stress/array-setLength-on-ArrayClass-with-large-length.js	                        (rev 0)
+++ branches/safari-602-branch/Source/_javascript_Core/tests/stress/array-setLength-on-ArrayClass-with-large-length.js	2016-08-31 07:20:09 UTC (rev 205230)
@@ -0,0 +1,19 @@
+//@ runDefault
+// This test should not crash
+
+function assertEqual(actual, expected) {
+    function toString(x) {
+        return '' + x;
+    }
+    if (typeof actual != typeof expected)
+        throw Error("Failed: typeof expected: '" + typeof(expected) + "', typeof actual: '" + typeof(actual) + "'");;
+    
+    if (toString(actual) != toString(expected))
+        throw Error("Failed: expected: '" + toString(expected) + "', actual: '" + toString(actual) + "'");;
+}
+
+assertEqual(Array.prototype.length, 0);
+
+Array.prototype.length = 0x40000000;
+
+assertEqual(Array.prototype.length, 0x40000000);

Added: branches/safari-602-branch/Source/_javascript_Core/tests/stress/array-setLength-on-ArrayClass-with-small-length.js (0 => 205230)


--- branches/safari-602-branch/Source/_javascript_Core/tests/stress/array-setLength-on-ArrayClass-with-small-length.js	                        (rev 0)
+++ branches/safari-602-branch/Source/_javascript_Core/tests/stress/array-setLength-on-ArrayClass-with-small-length.js	2016-08-31 07:20:09 UTC (rev 205230)
@@ -0,0 +1,19 @@
+//@ runDefault
+// This test should not crash
+
+function assertEqual(actual, expected) {
+    function toString(x) {
+        return '' + x;
+    }
+    if (typeof actual != typeof expected)
+        throw Error("Failed: typeof expected: '" + typeof(expected) + "', typeof actual: '" + typeof(actual) + "'");;
+    
+    if (toString(actual) != toString(expected))
+        throw Error("Failed: expected: '" + toString(expected) + "', actual: '" + toString(actual) + "'");;
+}
+
+assertEqual(Array.prototype.length, 0);
+
+Array.prototype.length = 5;
+
+assertEqual(Array.prototype.length, 5);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to