Modified: releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog (214814 => 214815)
--- releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog 2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog 2017-04-03 17:29:09 UTC (rev 214815)
@@ -1,3 +1,14 @@
+2017-04-01 Oleksandr Skachkov <gskach...@gmail.com>
+
+ Object with numerical keys with gaps gets filled by NaN values
+ https://bugs.webkit.org/show_bug.cgi?id=164412
+
+ Reviewed by Merk Lam.
+
+ * stress/object-number-properties.js: Added.
+ (assert):
+ (boo):
+
2017-03-23 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Use jsNontrivialString agressively for ToString(Int52)
Added: releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js (0 => 214815)
--- releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js (rev 0)
+++ releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js 2017-04-03 17:29:09 UTC (rev 214815)
@@ -0,0 +1,82 @@
+function assert(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+var priceRanges = {
+ "1": 0.6,
+ "100": 0.45,
+ "250": 0.3,
+ "2000": 0.28
+};
+
+assert(Object.keys(priceRanges).length, 4);
+assert(Object.values(priceRanges).length, 4);
+assert(priceRanges[1], 0.6);
+assert(priceRanges[100], 0.45);
+assert(priceRanges[250], 0.3);
+assert(priceRanges[2000], 0.28);
+
+var ranges = {
+ "250" : 0.5,
+ "1000": 0.1
+};
+
+assert(Object.keys(ranges).length, 2);
+assert(Object.values(ranges).length, 2);
+assert(ranges[250], 0.5);
+assert(ranges[1000], 0.1);
+
+var r = {};
+
+r[250] = 0.1;
+r[1001] = 0.5;
+
+assert(Object.keys(r).length, 2);
+assert(Object.values(ranges).length, 2);
+
+assert(r[250], 0.1);
+assert(r[1001], 0.5);
+
+var foo = {};
+
+foo[100] = NaN;
+foo[250] = 0.1;
+foo[260] = NaN;
+foo[1000] = 0.5;
+
+assert(Object.keys(foo).length, 4);
+assert(Object.values(foo).length, 4);
+assert(isNaN(foo[100]), true);
+assert(foo[250], 0.1);
+assert(isNaN(foo[260]), true);
+assert(foo[1000], 0.5);
+
+var boo = function () {
+ return {
+ "250": 0.2,
+ "1000": 0.1
+ };
+};
+
+for (var i = 0; i < 10000; i++) {
+ const b = boo();
+ const keys = Object.keys(b);
+ const values = Object.values(b);
+
+ assert(keys.length, 2);
+ assert(values.length, 2);
+
+ assert(b[keys[0]], values[0]);
+ assert(b[keys[1]], values[1]);
+}
+
+var baz = {
+ "250": "A",
+ "1001": "B"
+};
+
+assert(Object.keys(baz).length, 2);
+assert(Object.values(baz).length, 2);
+assert(baz[250], "A");
+assert(baz[1001], "B");
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (214814 => 214815)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-04-03 17:29:09 UTC (rev 214815)
@@ -1,3 +1,21 @@
+2017-04-01 Oleksandr Skachkov <gskach...@gmail.com>
+
+ Object with numerical keys with gaps gets filled by NaN values
+ https://bugs.webkit.org/show_bug.cgi?id=164412
+
+ Reviewed by Mark Lam.
+
+ This patch fixes issue when object have two properties
+ with name as number. The issue appears when during invoking
+ convertDoubleToArrayStorage, array is filled by pNaN and
+ method converting it to real NaN. This happeneds because a
+ pNaN in a Double array is a hole, and Double arrays cannot
+ have NaN values. To fix issue we need to check value and
+ clear it if it pNaN.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::convertDoubleToArrayStorage):
+
2017-03-31 Mark Lam <mark....@apple.com>
Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.cpp (214814 => 214815)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.cpp 2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/runtime/JSObject.cpp 2017-04-03 17:29:09 UTC (rev 214815)
@@ -1288,9 +1288,12 @@
Butterfly* butterfly = m_butterfly.get();
for (unsigned i = 0; i < vectorLength; i++) {
double value = butterfly->contiguousDouble()[i];
+ if (value != value) {
+ newStorage->m_vector[i].clear();
+ continue;
+ }
newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
- if (value == value)
- newStorage->m_numValuesInVector++;
+ newStorage->m_numValuesInVector++;
}
StructureID oldStructureID = this->structureID();