[webkit-changes] [154705] branches/safari-537-branch

Tue, 27 Aug 2013 13:28:27 -0700

Title: [154705] branches/safari-537-branch

Diff

Modified: branches/safari-537-branch/LayoutTests/ChangeLog (154704 => 154705)


--- branches/safari-537-branch/LayoutTests/ChangeLog	2013-08-27 19:41:14 UTC (rev 154704)
+++ branches/safari-537-branch/LayoutTests/ChangeLog	2013-08-27 20:28:24 UTC (rev 154705)
@@ -1,3 +1,18 @@
+2013-08-27  Lucas Forschler  <[email protected]>
+
+        Merge r154633
+
+    2013-08-26  Mark Hahnenberg  <[email protected]>
+
+            JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
+            https://bugs.webkit.org/show_bug.cgi?id=120278
+
+            Reviewed by Geoffrey Garen.
+
+            * fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
+            * fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
+            * fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.
+
 2013-08-26  Lucas Forschler  <[email protected]>
 
         Merge r154529

Copied: branches/safari-537-branch/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt (from rev 154633, trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt) (0 => 154705)


--- branches/safari-537-branch/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt	                        (rev 0)
+++ branches/safari-537-branch/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt	2013-08-27 20:28:24 UTC (rev 154705)
@@ -0,0 +1,10 @@
+Make sure we don't crash when doing a put-direct-index beyond the vector length of a normal JSObject.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS o[0] is "foo"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-537-branch/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html (from rev 154633, trunk/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html) (0 => 154705)


--- branches/safari-537-branch/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html	                        (rev 0)
+++ branches/safari-537-branch/LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html	2013-08-27 20:28:24 UTC (rev 154705)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Copied: branches/safari-537-branch/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js (from rev 154633, trunk/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js) (0 => 154705)


--- branches/safari-537-branch/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js	                        (rev 0)
+++ branches/safari-537-branch/LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js	2013-08-27 20:28:24 UTC (rev 154705)
@@ -0,0 +1,8 @@
+description(
+"Make sure we don't crash when doing a put-direct-index beyond the vector length of a normal JSObject."
+);
+
+var o = {};
+for (var i = 0; i < 100005; i += 3)
+    Object.defineProperty(o, i, {enumerable:true, writable:true, configurable:true, value:"foo"});
+shouldBe("o[0]", "\"foo\"");

Modified: branches/safari-537-branch/Source/_javascript_Core/ChangeLog (154704 => 154705)


--- branches/safari-537-branch/Source/_javascript_Core/ChangeLog	2013-08-27 19:41:14 UTC (rev 154704)
+++ branches/safari-537-branch/Source/_javascript_Core/ChangeLog	2013-08-27 20:28:24 UTC (rev 154705)
@@ -1,3 +1,17 @@
+2013-08-27  Lucas Forschler  <[email protected]>
+
+        Merge r154633
+
+    2013-08-25  Mark Hahnenberg  <[email protected]>
+
+            JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
+            https://bugs.webkit.org/show_bug.cgi?id=120278
+
+            Reviewed by Geoffrey Garen.
+
+            * runtime/JSObject.cpp:
+            (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+
 2013-08-08  Lucas Forschler  <[email protected]>
 
         Merge r153819

Modified: branches/safari-537-branch/Source/_javascript_Core/runtime/JSObject.cpp (154704 => 154705)


--- branches/safari-537-branch/Source/_javascript_Core/runtime/JSObject.cpp	2013-08-27 19:41:14 UTC (rev 154704)
+++ branches/safari-537-branch/Source/_javascript_Core/runtime/JSObject.cpp	2013-08-27 20:28:24 UTC (rev 154705)
@@ -2078,8 +2078,8 @@
         if (LIKELY(
                 !attributes
                 && (isDenseEnoughForVector(i, storage->m_numValuesInVector))
-                && increaseVectorLength(vm, i + 1)
-                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))) {
+                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))
+                && increaseVectorLength(vm, i + 1)) {
             // success! - reread m_storage since it has likely been reallocated, and store to the vector.
             storage = arrayStorage();
             storage->m_vector[i].set(vm, this, value);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to