Modified: branches/safari-536-branch/LayoutTests/ChangeLog (117850 => 117851)
--- branches/safari-536-branch/LayoutTests/ChangeLog 2012-05-22 00:14:58 UTC (rev 117850)
+++ branches/safari-536-branch/LayoutTests/ChangeLog 2012-05-22 00:16:57 UTC (rev 117851)
@@ -1,5 +1,22 @@
2012-05-21 Lucas Forschler <[email protected]>
+ Merge 117523
+
+ 2012-05-17 Filip Pizlo <[email protected]>
+
+ Setting array index -1 and looping over array causes bad behavior
+ https://bugs.webkit.org/show_bug.cgi?id=86733
+ <rdar://problem/11477670>
+
+ Reviewed by Oliver Hunt.
+
+ * fast/js/dfg-negative-array-index-expected.txt: Added.
+ * fast/js/dfg-negative-array-index.html: Added.
+ * fast/js/script-tests/dfg-negative-array-index.js: Added.
+ (foo):
+
+2012-05-21 Lucas Forschler <[email protected]>
+
Merge 117366
2012-05-16 Jon Lee <[email protected]>
Copied: branches/safari-536-branch/LayoutTests/fast/js/dfg-negative-array-index-expected.txt (from rev 117523, trunk/LayoutTests/fast/js/dfg-negative-array-index-expected.txt) (0 => 117851)
--- branches/safari-536-branch/LayoutTests/fast/js/dfg-negative-array-index-expected.txt (rev 0)
+++ branches/safari-536-branch/LayoutTests/fast/js/dfg-negative-array-index-expected.txt 2012-05-22 00:16:57 UTC (rev 117851)
@@ -0,0 +1,109 @@
+Tests that storing into a negative array index works right.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS array[-1] is 42
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/safari-536-branch/LayoutTests/fast/js/dfg-negative-array-index.html (from rev 117523, trunk/LayoutTests/fast/js/dfg-negative-array-index.html) (0 => 117851)
--- branches/safari-536-branch/LayoutTests/fast/js/dfg-negative-array-index.html (rev 0)
+++ branches/safari-536-branch/LayoutTests/fast/js/dfg-negative-array-index.html 2012-05-22 00:16:57 UTC (rev 117851)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Copied: branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-negative-array-index.js (from rev 117523, trunk/LayoutTests/fast/js/script-tests/dfg-negative-array-index.js) (0 => 117851)
--- branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-negative-array-index.js (rev 0)
+++ branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-negative-array-index.js 2012-05-22 00:16:57 UTC (rev 117851)
@@ -0,0 +1,14 @@
+description(
+"Tests that storing into a negative array index works right."
+);
+
+function foo(a, i) {
+ a[i] = 42;
+}
+
+for (var i = 0; i < 100; ++i) {
+ var array = [];
+ foo(array, -1);
+ shouldBe("array[-1]", "42");
+}
+
Modified: branches/safari-536-branch/Source/_javascript_Core/ChangeLog (117850 => 117851)
--- branches/safari-536-branch/Source/_javascript_Core/ChangeLog 2012-05-22 00:14:58 UTC (rev 117850)
+++ branches/safari-536-branch/Source/_javascript_Core/ChangeLog 2012-05-22 00:16:57 UTC (rev 117851)
@@ -1,5 +1,19 @@
2012-05-21 Lucas Forschler <[email protected]>
+ Merge 117523
+
+ 2012-05-17 Filip Pizlo <[email protected]>
+
+ Setting array index -1 and looping over array causes bad behavior
+ https://bugs.webkit.org/show_bug.cgi?id=86733
+ <rdar://problem/11477670>
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGOperations.cpp:
+
+2012-05-21 Lucas Forschler <[email protected]>
+
Merge 117193
2012-05-15 Oliver Hunt <[email protected]>
Modified: branches/safari-536-branch/Source/_javascript_Core/dfg/DFGOperations.cpp (117850 => 117851)
--- branches/safari-536-branch/Source/_javascript_Core/dfg/DFGOperations.cpp 2012-05-22 00:14:58 UTC (rev 117850)
+++ branches/safari-536-branch/Source/_javascript_Core/dfg/DFGOperations.cpp 2012-05-22 00:16:57 UTC (rev 117851)
@@ -466,9 +466,16 @@
JSGlobalData* globalData = &exec->globalData();
NativeCallFrameTracer tracer(globalData, exec);
- // We should only get here if index is outside the existing vector.
- ASSERT(!array->canSetIndex(index));
- JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue), true);
+ if (index >= 0) {
+ // We should only get here if index is outside the existing vector.
+ ASSERT(!array->canSetIndex(index));
+ JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue), true);
+ return;
+ }
+
+ PutPropertySlot slot(true);
+ array->methodTable()->put(
+ array, exec, Identifier::from(exec, index), JSValue::decode(encodedValue), slot);
}
void DFG_OPERATION operationPutByValBeyondArrayBoundsNonStrict(ExecState* exec, JSArray* array, int32_t index, EncodedJSValue encodedValue)
@@ -476,9 +483,16 @@
JSGlobalData* globalData = &exec->globalData();
NativeCallFrameTracer tracer(globalData, exec);
- // We should only get here if index is outside the existing vector.
- ASSERT(!array->canSetIndex(index));
- JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue), false);
+ if (index >= 0) {
+ // We should only get here if index is outside the existing vector.
+ ASSERT(!array->canSetIndex(index));
+ JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue), false);
+ return;
+ }
+
+ PutPropertySlot slot(false);
+ array->methodTable()->put(
+ array, exec, Identifier::from(exec, index), JSValue::decode(encodedValue), slot);
}
EncodedJSValue DFG_OPERATION operationArrayPush(ExecState* exec, EncodedJSValue encodedValue, JSArray* array)
