Diff
Modified: tags/Safari-537.31.7/LayoutTests/ChangeLog (143759 => 143760)
--- tags/Safari-537.31.7/LayoutTests/ChangeLog 2013-02-22 19:16:03 UTC (rev 143759)
+++ tags/Safari-537.31.7/LayoutTests/ChangeLog 2013-02-22 19:16:54 UTC (rev 143760)
@@ -1,3 +1,20 @@
+2013-02-22 Lucas Forschler <[email protected]>
+
+ Merge r143269
+
+ 2013-02-18 Filip Pizlo <[email protected]>
+
+ Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
+ https://bugs.webkit.org/show_bug.cgi?id=110155
+ <rdar://problem/13233773>
+
+ Reviewed by Mark Rowe.
+
+ * fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt: Added.
+ * fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html: Added.
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js: Added.
+
2013-02-18 Lucas Forschler <[email protected]>
Merge r143074
Copied: tags/Safari-537.31.7/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt (from rev 143269, trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt) (0 => 143760)
--- tags/Safari-537.31.7/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt (rev 0)
+++ tags/Safari-537.31.7/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt 2013-02-22 19:16:54 UTC (rev 143760)
@@ -0,0 +1,109 @@
+Tests that deleting all properties from an object and then flattening it doesn't cause inconsistencies.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: tags/Safari-537.31.7/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html (from rev 143269, trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html) (0 => 143760)
--- tags/Safari-537.31.7/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html (rev 0)
+++ tags/Safari-537.31.7/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html 2013-02-22 19:16:54 UTC (rev 143760)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: tags/Safari-537.31.7/LayoutTests/fast/js/jsc-test-list (143759 => 143760)
--- tags/Safari-537.31.7/LayoutTests/fast/js/jsc-test-list 2013-02-22 19:16:03 UTC (rev 143759)
+++ tags/Safari-537.31.7/LayoutTests/fast/js/jsc-test-list 2013-02-22 19:16:54 UTC (rev 143760)
@@ -206,6 +206,7 @@
fast/js/exception-with-handler-inside-eval-with-dynamic-scope
fast/js/excessive-comma-usage
fast/js/finally-codegen-failure
+fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted
fast/js/for-in-avoid-duplicates
fast/js/for-in-cached
fast/js/for-in-exeception
Copied: tags/Safari-537.31.7/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js (from rev 143269, trunk/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js) (0 => 143760)
--- tags/Safari-537.31.7/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js (rev 0)
+++ tags/Safari-537.31.7/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js 2013-02-22 19:16:54 UTC (rev 143760)
@@ -0,0 +1,20 @@
+description(
+"Tests that deleting all properties from an object and then flattening it doesn't cause inconsistencies."
+);
+
+var o = {};
+
+for (var i = 0; i < 1000; ++i)
+ o["a" + i] = i;
+
+for (var i = 0; i < 1000; ++i)
+ delete o["a" + i];
+
+var p = {};
+p.__proto__ = o;
+
+var q = {f:42};
+o.__proto__ = q;
+
+for (var i = 0; i < 100; ++i)
+ shouldBe("p.f", "42");
Modified: tags/Safari-537.31.7/Source/_javascript_Core/ChangeLog (143759 => 143760)
--- tags/Safari-537.31.7/Source/_javascript_Core/ChangeLog 2013-02-22 19:16:03 UTC (rev 143759)
+++ tags/Safari-537.31.7/Source/_javascript_Core/ChangeLog 2013-02-22 19:16:54 UTC (rev 143760)
@@ -1,5 +1,31 @@
2013-02-22 Lucas Forschler <[email protected]>
+ Merge r143269
+
+ 2013-02-18 Filip Pizlo <[email protected]>
+
+ Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
+ https://bugs.webkit.org/show_bug.cgi?id=110155
+ <rdar://problem/13233773>
+
+ Reviewed by Mark Rowe.
+
+ This was a rookie mistake. It was doing:
+
+ for (blah) {
+ m_offset = foo // foo's monotonically increase in the loop
+ }
+
+ as a way of computing max offset for all of the properties. Except what if the loop doesn't
+ execute because there are no properties? Well, then, you're going to have a bogus m_offset.
+
+ The solution is to initialize m_offset at the top of the loop.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::flattenDictionaryStructure):
+
+2013-02-22 Lucas Forschler <[email protected]>
+
Merge r143097
2013-02-15 Filip Pizlo <[email protected]>
Modified: tags/Safari-537.31.7/Source/_javascript_Core/runtime/Structure.cpp (143759 => 143760)
--- tags/Safari-537.31.7/Source/_javascript_Core/runtime/Structure.cpp 2013-02-22 19:16:03 UTC (rev 143759)
+++ tags/Safari-537.31.7/Source/_javascript_Core/runtime/Structure.cpp 2013-02-22 19:16:54 UTC (rev 143760)
@@ -642,6 +642,7 @@
// Copies out our values from their hashed locations, compacting property table offsets as we go.
unsigned i = 0;
PropertyTable::iterator end = m_propertyTable->end();
+ m_offset = invalidOffset;
for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter, ++i) {
values[i] = object->getDirect(iter->offset);
m_offset = iter->offset = offsetForPropertyNumber(i, m_inlineCapacity);
