Title: [134193] trunk
- Revision
- 134193
- Author
- [email protected]
- Date
- 2012-11-11 23:49:11 -0800 (Sun, 11 Nov 2012)
Log Message
Fix assertion failure in JSObject::tryGetIndexQuickly()
https://bugs.webkit.org/show_bug.cgi?id=101869
Patch by Michael Pruett <[email protected]> on 2012-11-11
Reviewed by Filip Pizlo.
Source/_javascript_Core:
Currently JSObject::tryGetIndexQuickly() triggers an assertion
failure when the object has an undecided indexing type. This
case should be treated the same as a blank indexing type.
* runtime/JSObject.h:
(JSC::JSObject::tryGetIndexQuickly):
LayoutTests:
Add test case for an assertion failure triggered when constructing
a Blob with a sparse array.
* fast/constructors/blob-sparse-array-assertion-failure.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (134192 => 134193)
--- trunk/LayoutTests/ChangeLog 2012-11-12 07:24:24 UTC (rev 134192)
+++ trunk/LayoutTests/ChangeLog 2012-11-12 07:49:11 UTC (rev 134193)
@@ -1,3 +1,15 @@
+2012-11-11 Michael Pruett <[email protected]>
+
+ Fix assertion failure in JSObject::tryGetIndexQuickly()
+ https://bugs.webkit.org/show_bug.cgi?id=101869
+
+ Reviewed by Filip Pizlo.
+
+ Add test case for an assertion failure triggered when constructing
+ a Blob with a sparse array.
+
+ * fast/constructors/blob-sparse-array-assertion-failure.html: Added.
+
2012-11-09 Ryosuke Niwa <[email protected]>
Multiple Layout Tests (e.g. fast/repaint/japanese-rl-selection-clear.html) is failing after r133840.
Added: trunk/LayoutTests/fast/constructors/blob-sparse-array-assertion-failure-expected.txt (0 => 134193)
--- trunk/LayoutTests/fast/constructors/blob-sparse-array-assertion-failure-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/constructors/blob-sparse-array-assertion-failure-expected.txt 2012-11-12 07:49:11 UTC (rev 134193)
@@ -0,0 +1,4 @@
+Test that constructing a Blob with a sparse array doesn't trigger an assertion failure.
+https://bugs.webkit.org/show_bug.cgi?id=101869
+DONE
+
Added: trunk/LayoutTests/fast/constructors/blob-sparse-array-assertion-failure.html (0 => 134193)
--- trunk/LayoutTests/fast/constructors/blob-sparse-array-assertion-failure.html (rev 0)
+++ trunk/LayoutTests/fast/constructors/blob-sparse-array-assertion-failure.html 2012-11-12 07:49:11 UTC (rev 134193)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+function test()
+{
+ new Blob(Array(100));
+ log("DONE");
+}
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body _onload_="test()">
+Test that constructing a Blob with a sparse array doesn't trigger an assertion failure.
+<br>
+<a href=""
+<pre id='console'></pre>
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (134192 => 134193)
--- trunk/Source/_javascript_Core/ChangeLog 2012-11-12 07:24:24 UTC (rev 134192)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-11-12 07:49:11 UTC (rev 134193)
@@ -1,3 +1,17 @@
+2012-11-11 Michael Pruett <[email protected]>
+
+ Fix assertion failure in JSObject::tryGetIndexQuickly()
+ https://bugs.webkit.org/show_bug.cgi?id=101869
+
+ Reviewed by Filip Pizlo.
+
+ Currently JSObject::tryGetIndexQuickly() triggers an assertion
+ failure when the object has an undecided indexing type. This
+ case should be treated the same as a blank indexing type.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::tryGetIndexQuickly):
+
2012-11-11 Filip Pizlo <[email protected]>
DFG register allocation should be greedy rather than round-robin
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (134192 => 134193)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2012-11-12 07:24:24 UTC (rev 134192)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2012-11-12 07:49:11 UTC (rev 134193)
@@ -241,6 +241,7 @@
{
switch (structure()->indexingType()) {
case ALL_BLANK_INDEXING_TYPES:
+ case ALL_UNDECIDED_INDEXING_TYPES:
break;
case ALL_INT32_INDEXING_TYPES:
case ALL_CONTIGUOUS_INDEXING_TYPES:
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
