Skip to site navigation (Press enter)

[webkit-changes] [238985] releases/WebKitGTK/webkit-2.22

mcatanzaro Fri, 07 Dec 2018 16:26:42 -0800

Title: [238985] releases/WebKitGTK/webkit-2.22

Revision: 238985
Author: [email protected]
Date: 2018-12-07 16:25:34 -0800 (Fri, 07 Dec 2018)

Log Message

Merge r235356 - [JSC] Array.prototype.reverse modifies JSImmutableButterfly
https://bugs.webkit.org/show_bug.cgi?id=188794


Reviewed by Saam Barati.

JSTests:

* stress/reverse-with-immutable-butterfly.js: Added.
(shouldBe):
(reverseInt):
(reverseDouble):
(reverseContiguous):

Source/_javascript_Core:

While Array.prototype.reverse modifies the butterfly of the given Array,
it does not account JSImmutableButterfly case. So it accidentally modifies
the content of JSImmutableButterfly.
This patch converts CoW arrays to writable arrays before reversing.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
* runtime/JSObject.h:
(JSC::JSObject::ensureWritable):

Modified Paths

releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog

Diff

Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (238984 => 238985)


--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-12-08 00:25:31 UTC (rev 238984)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-12-08 00:25:34 UTC (rev 238985)
@@ -1,3 +1,16 @@
+2018-08-24  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+        https://bugs.webkit.org/show_bug.cgi?id=188794
+
+        Reviewed by Saam Barati.
+
+        * stress/reverse-with-immutable-butterfly.js: Added.
+        (shouldBe):
+        (reverseInt):
+        (reverseDouble):
+        (reverseContiguous):
+
 2018-11-15  Mark Lam  <[email protected]>
 
         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (238984 => 238985)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-12-08 00:25:31 UTC (rev 238984)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-12-08 00:25:34 UTC (rev 238985)
@@ -1,3 +1,20 @@
+2018-08-24  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+        https://bugs.webkit.org/show_bug.cgi?id=188794
+
+        Reviewed by Saam Barati.
+
+        While Array.prototype.reverse modifies the butterfly of the given Array,
+        it does not account JSImmutableButterfly case. So it accidentally modifies
+        the content of JSImmutableButterfly.
+        This patch converts CoW arrays to writable arrays before reversing.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncReverse):
+        * runtime/JSObject.h:
+        (JSC::JSObject::ensureWritable):
+
 2018-11-15  Mark Lam  <[email protected]>
 
         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes