[webkit-changes] [214815] releases/WebKitGTK/webkit-2.16

Mon, 03 Apr 2017 10:29:21 -0700

Title: [214815] releases/WebKitGTK/webkit-2.16
Revision
214815
Author
carlo...@webkit.org
Date
2017-04-03 10:29:09 -0700 (Mon, 03 Apr 2017)

Log Message

Merge r214714 - Object with numerical keys with gaps gets filled by NaN values
https://bugs.webkit.org/show_bug.cgi?id=164412

Reviewed by Mark Lam.

This patch fixes issue when object have two properties
with name as number. The issue appears when during invoking
convertDoubleToArrayStorage, array is filled by pNaN and
method converting it to real NaN. This happeneds because a
pNaN in a Double array is a hole, and Double arrays cannot
have NaN values. To fix issue we need to check value and
clear it if it pNaN.

Source/_javascript_Core:
* runtime/JSObject.cpp:
(JSC::JSObject::convertDoubleToArrayStorage):

JSTests:
* stress/object-number-properties.js: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog (214814 => 214815)


--- releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog	2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog	2017-04-03 17:29:09 UTC (rev 214815)
@@ -1,3 +1,14 @@
+2017-04-01  Oleksandr Skachkov  <gskach...@gmail.com>
+
+        Object with numerical keys with gaps gets filled by NaN values
+        https://bugs.webkit.org/show_bug.cgi?id=164412
+
+        Reviewed by Merk Lam.
+
+        * stress/object-number-properties.js: Added.
+        (assert):
+        (boo):
+
 2017-03-23  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Use jsNontrivialString agressively for ToString(Int52)

Added: releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js (0 => 214815)


--- releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js	2017-04-03 17:29:09 UTC (rev 214815)
@@ -0,0 +1,82 @@
+function assert(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var priceRanges = {
+    "1": 0.6,
+    "100": 0.45,
+    "250": 0.3,
+    "2000": 0.28
+};
+
+assert(Object.keys(priceRanges).length, 4); 
+assert(Object.values(priceRanges).length, 4); 
+assert(priceRanges[1], 0.6); 
+assert(priceRanges[100], 0.45); 
+assert(priceRanges[250], 0.3); 
+assert(priceRanges[2000], 0.28); 
+
+var ranges = {
+    "250" : 0.5,
+    "1000": 0.1
+};
+
+assert(Object.keys(ranges).length, 2);
+assert(Object.values(ranges).length, 2);
+assert(ranges[250], 0.5);
+assert(ranges[1000], 0.1);
+
+var r = {};
+
+r[250] = 0.1;
+r[1001] = 0.5;
+
+assert(Object.keys(r).length, 2);
+assert(Object.values(ranges).length, 2);
+
+assert(r[250], 0.1);
+assert(r[1001], 0.5);
+
+var foo = {};
+
+foo[100] = NaN;
+foo[250] = 0.1;
+foo[260] = NaN;
+foo[1000] = 0.5;
+
+assert(Object.keys(foo).length, 4);
+assert(Object.values(foo).length, 4);
+assert(isNaN(foo[100]), true);
+assert(foo[250], 0.1);
+assert(isNaN(foo[260]), true);
+assert(foo[1000], 0.5);
+
+var boo = function () {
+    return {
+        "250": 0.2,
+        "1000": 0.1
+    };
+};
+
+for (var i = 0; i < 10000; i++) {
+    const b = boo();
+    const keys = Object.keys(b);
+    const values = Object.values(b);
+
+    assert(keys.length, 2);
+    assert(values.length, 2);
+
+    assert(b[keys[0]], values[0]);
+    assert(b[keys[1]], values[1]);
+}
+
+var baz = {
+    "250": "A",
+    "1001": "B"
+};
+
+assert(Object.keys(baz).length, 2);
+assert(Object.values(baz).length, 2);
+assert(baz[250], "A");
+assert(baz[1001], "B");
\ No newline at end of file

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (214814 => 214815)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-04-03 17:29:09 UTC (rev 214815)
@@ -1,3 +1,21 @@
+2017-04-01  Oleksandr Skachkov  <gskach...@gmail.com>
+
+        Object with numerical keys with gaps gets filled by NaN values
+        https://bugs.webkit.org/show_bug.cgi?id=164412
+
+        Reviewed by Mark Lam.
+
+        This patch fixes issue when object have two properties 
+        with name as number. The issue appears when during invoking 
+        convertDoubleToArrayStorage, array is filled by pNaN and 
+        method converting it to real NaN. This happeneds because a 
+        pNaN in a Double array is a hole, and Double arrays cannot 
+        have NaN values. To fix issue we need to check value and 
+        clear it if it pNaN.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertDoubleToArrayStorage):
+
 2017-03-31  Mark Lam  <mark....@apple.com>
 
         Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.cpp (214814 => 214815)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.cpp	2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.cpp	2017-04-03 17:29:09 UTC (rev 214815)
@@ -1288,9 +1288,12 @@
     Butterfly* butterfly = m_butterfly.get();
     for (unsigned i = 0; i < vectorLength; i++) {
         double value = butterfly->contiguousDouble()[i];
+        if (value != value) {
+            newStorage->m_vector[i].clear();
+            continue;
+        }
         newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
-        if (value == value)
-            newStorage->m_numValuesInVector++;
+        newStorage->m_numValuesInVector++;
     }
     
     StructureID oldStructureID = this->structureID();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to