Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (129573 => 129574)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-25 23:42:52 UTC (rev 129574)
@@ -1,5 +1,20 @@
2012-09-25 Filip Pizlo <[email protected]>
+ JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
+ https://bugs.webkit.org/show_bug.cgi?id=95610
+
+ Reviewed by Oliver Hunt.
+
+ Add better support for quickly accessing the indexed storage from bindings.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::tryGetIndexQuickly):
+ (JSObject):
+ (JSC::JSObject::getDirectIndex):
+ (JSC::JSObject::getIndex):
+
+2012-09-25 Filip Pizlo <[email protected]>
+
Structure check hoisting phase doesn't know about the side-effecting nature of Arrayify
https://bugs.webkit.org/show_bug.cgi?id=97537
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (129573 => 129574)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2012-09-25 23:42:52 UTC (rev 129574)
@@ -226,6 +226,42 @@
}
}
+ JSValue tryGetIndexQuickly(unsigned i)
+ {
+ switch (structure()->indexingType()) {
+ case ALL_BLANK_INDEXING_TYPES:
+ break;
+ case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+ if (i < m_butterfly->arrayStorage()->vectorLength()) {
+ JSValue v = m_butterfly->arrayStorage()->m_vector[i].get();
+ if (v)
+ return v;
+ }
+ break;
+ default:
+ ASSERT_NOT_REACHED();
+ break;
+ }
+ return JSValue();
+ }
+
+ JSValue getDirectIndex(ExecState* exec, unsigned i)
+ {
+ if (JSValue result = tryGetIndexQuickly(i))
+ return result;
+ PropertySlot slot(this);
+ if (methodTable()->getOwnPropertySlotByIndex(this, exec, i, slot))
+ return slot.getValue(exec, i);
+ return JSValue();
+ }
+
+ JSValue getIndex(ExecState* exec, unsigned i)
+ {
+ if (JSValue result = tryGetIndexQuickly(i))
+ return result;
+ return get(exec, i);
+ }
+
bool canSetIndexQuickly(unsigned i)
{
switch (structure()->indexingType()) {
Modified: trunk/Source/WebCore/ChangeLog (129573 => 129574)
--- trunk/Source/WebCore/ChangeLog 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/ChangeLog 2012-09-25 23:42:52 UTC (rev 129574)
@@ -1,3 +1,31 @@
+2012-09-25 Filip Pizlo <[email protected]>
+
+ JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
+ https://bugs.webkit.org/show_bug.cgi?id=95610
+
+ Reviewed by Oliver Hunt.
+
+ Fix all of the cases I found where we were using getIndexQuickly(), which was wrong
+ if we were in sparse mode.
+
+ * bindings/js/ArrayValue.cpp:
+ (WebCore::ArrayValue::get):
+ * bindings/js/JSBlobCustom.cpp:
+ (WebCore::JSBlobConstructor::constructJSBlob):
+ * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
+ (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
+ * bindings/js/JSDOMStringListCustom.cpp:
+ (WebCore::toDOMStringList):
+ * bindings/js/JSInspectorFrontendHostCustom.cpp:
+ (WebCore::populateContextMenuItems):
+ * bindings/js/JSWebSocketCustom.cpp:
+ (WebCore::JSWebSocketConstructor::constructJSWebSocket):
+ * bindings/js/ScriptValue.cpp:
+ (WebCore::jsToInspectorValue):
+ * bindings/js/SerializedScriptValue.cpp:
+ (CloneSerializer):
+ (WebCore::CloneSerializer::serialize):
+
2012-09-25 Tim Horton <[email protected]>
Load the linearized sRGB profile via NSData instead of CoreFoundation
Modified: trunk/Source/WebCore/bindings/js/ArrayValue.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/ArrayValue.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/ArrayValue.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -72,12 +72,7 @@
if (isUndefinedOrNull())
return false;
- JSArray* array = asArray(m_value);
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
- if (!array->canGetIndexQuickly(index))
- return false;
-
- JSValue indexedValue = array->getIndexQuickly(index);
+ JSValue indexedValue = asArray(m_value)->getIndex(m_exec, index);
if (indexedValue.isUndefinedOrNull() || !indexedValue.isObject())
return false;
Modified: trunk/Source/WebCore/bindings/js/JSBlobCustom.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/JSBlobCustom.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/JSBlobCustom.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -118,8 +118,7 @@
unsigned length = array->length();
for (unsigned i = 0; i < length; ++i) {
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
- JSValue item = array->getIndexQuickly(i);
+ JSValue item = array->getIndex(exec, i);
#if ENABLE(BLOB)
if (item.inherits(&JSArrayBuffer::s_info))
blobBuilder->append(context, toArrayBuffer(item));
Modified: trunk/Source/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/JSCanvasRenderingContext2DCustom.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -110,9 +110,8 @@
Vector<float> dash;
JSArray* valueArray = asArray(value);
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
for (unsigned i = 0; i < valueArray->length(); ++i) {
- float elem = valueArray->getIndexQuickly(i).toFloat(exec);
+ float elem = valueArray->getIndex(exec, i).toFloat(exec);
if (elem <= 0 || !isfinite(elem))
return;
Modified: trunk/Source/WebCore/bindings/js/JSDOMStringListCustom.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/JSDOMStringListCustom.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/JSDOMStringListCustom.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -33,9 +33,8 @@
JSArray* array = asArray(value);
RefPtr<DOMStringList> stringList = DOMStringList::create();
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
for (unsigned i = 0; i < array->length(); ++i)
- stringList->append(array->getIndexQuickly(i).toString(exec)->value(exec));
+ stringList->append(array->getIndex(exec, i).toString(exec)->value(exec));
return stringList.release();
}
Modified: trunk/Source/WebCore/bindings/js/JSInspectorFrontendHostCustom.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/JSInspectorFrontendHostCustom.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/JSInspectorFrontendHostCustom.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -89,8 +89,7 @@
static void populateContextMenuItems(ExecState* exec, JSArray* array, ContextMenu& menu)
{
for (size_t i = 0; i < array->length(); ++i) {
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
- JSObject* item = asObject(array->getIndexQuickly(i));
+ JSObject* item = asObject(array->getIndex(exec, i));
JSValue label = item->get(exec, Identifier(exec, "label"));
JSValue type = item->get(exec, Identifier(exec, "type"));
JSValue id = item->get(exec, Identifier(exec, "id"));
Modified: trunk/Source/WebCore/bindings/js/JSWebSocketCustom.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/JSWebSocketCustom.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/JSWebSocketCustom.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -74,8 +74,7 @@
Vector<String> protocols;
JSArray* protocolsArray = asArray(protocolsValue);
for (unsigned i = 0; i < protocolsArray->length(); ++i) {
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
- String protocol = protocolsArray->getIndexQuickly(i).toString(exec)->value(exec);
+ String protocol = protocolsArray->getIndex(exec, i).toString(exec)->value(exec);
if (exec->hadException())
return JSValue::encode(JSValue());
protocols.append(protocol);
Modified: trunk/Source/WebCore/bindings/js/ScriptValue.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/ScriptValue.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/ScriptValue.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -144,8 +144,7 @@
JSArray* array = asArray(value);
unsigned length = array->length();
for (unsigned i = 0; i < length; i++) {
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
- JSValue element = array->getIndexQuickly(i);
+ JSValue element = array->getIndex(scriptState, i);
RefPtr<InspectorValue> elementValue = jsToInspectorValue(scriptState, element, maxDepth);
if (!elementValue)
return 0;
Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (129573 => 129574)
--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2012-09-25 23:35:13 UTC (rev 129573)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2012-09-25 23:42:52 UTC (rev 129574)
@@ -471,22 +471,6 @@
write(TerminatorTag);
}
- JSValue getSparseIndex(JSArray* array, unsigned propertyName, bool& hasIndex)
- {
- PropertySlot slot(array);
- if (isJSArray(array)) {
- if (JSArray::getOwnPropertySlotByIndex(array, m_exec, propertyName, slot)) {
- hasIndex = true;
- return slot.getValue(m_exec, propertyName);
- }
- } else if (array->methodTable()->getOwnPropertySlotByIndex(array, m_exec, propertyName, slot)) {
- hasIndex = true;
- return slot.getValue(m_exec, propertyName);
- }
- hasIndex = false;
- return jsNull();
- }
-
JSValue getProperty(JSObject* object, const Identifier& propertyName)
{
PropertySlot slot(object);
@@ -894,16 +878,10 @@
lengthStack.removeLast();
break;
}
- // FIXME: What if the array is in sparse mode? https://bugs.webkit.org/show_bug.cgi?id=95610
- if (array->canGetIndexQuickly(index))
- inValue = array->getIndexQuickly(index);
- else {
- bool hasIndex = false;
- inValue = getSparseIndex(array, index, hasIndex);
- if (!hasIndex) {
- indexStack.last()++;
- goto arrayStartVisitMember;
- }
+ inValue = array->getDirectIndex(m_exec, index);
+ if (!inValue) {
+ indexStack.last()++;
+ goto arrayStartVisitMember;
}
write(index);
