Title: [158929] trunk
- Revision
- 158929
- Author
- [email protected]
- Date
- 2013-11-08 10:47:26 -0800 (Fri, 08 Nov 2013)
Log Message
Map.forEach crashes on deleted values
https://bugs.webkit.org/show_bug.cgi?id=124017
Reviewed by Ryosuke Niwa.
Source/_javascript_Core:
MapData iterator did not consider the case of the first entries
being holes. To fix this I've refactored iteration so that we
can perform an initialisation increment on construction, whle
retaining the useful assertion in MapData::const_iterator::operator++
* runtime/MapData.h:
(JSC::MapData::const_iterator::operator++):
(JSC::MapData::const_iterator::internalIncrement):
(JSC::MapData::const_iterator::const_iterator):
LayoutTests:
Test case
* js/map-iterate-first-entry-is-a-hole-expected.txt: Added.
* js/map-iterate-first-entry-is-a-hole.html: Added.
* js/script-tests/map-iterate-first-entry-is-a-hole.js: Added.
(set map0):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (158928 => 158929)
--- trunk/LayoutTests/ChangeLog 2013-11-08 18:30:29 UTC (rev 158928)
+++ trunk/LayoutTests/ChangeLog 2013-11-08 18:47:26 UTC (rev 158929)
@@ -1,3 +1,17 @@
+2013-11-08 Oliver Hunt <[email protected]>
+
+ Map.forEach crashes on deleted values
+ https://bugs.webkit.org/show_bug.cgi?id=124017
+
+ Reviewed by Ryosuke Niwa.
+
+ Test case
+
+ * js/map-iterate-first-entry-is-a-hole-expected.txt: Added.
+ * js/map-iterate-first-entry-is-a-hole.html: Added.
+ * js/script-tests/map-iterate-first-entry-is-a-hole.js: Added.
+ (set map0):
+
2013-10-30 Jer Noble <[email protected]>
[MSE] Bring SourceBuffer.append up to the most recent spec.
Added: trunk/LayoutTests/js/map-iterate-first-entry-is-a-hole-expected.txt (0 => 158929)
--- trunk/LayoutTests/js/map-iterate-first-entry-is-a-hole-expected.txt (rev 0)
+++ trunk/LayoutTests/js/map-iterate-first-entry-is-a-hole-expected.txt 2013-11-08 18:47:26 UTC (rev 158929)
@@ -0,0 +1,9 @@
+Tests to make sure we correctly handle iterating a map when the first entry is a hole
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/map-iterate-first-entry-is-a-hole.html (0 => 158929)
--- trunk/LayoutTests/js/map-iterate-first-entry-is-a-hole.html (rev 0)
+++ trunk/LayoutTests/js/map-iterate-first-entry-is-a-hole.html 2013-11-08 18:47:26 UTC (rev 158929)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/map-iterate-first-entry-is-a-hole.js (0 => 158929)
--- trunk/LayoutTests/js/script-tests/map-iterate-first-entry-is-a-hole.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/map-iterate-first-entry-is-a-hole.js 2013-11-08 18:47:26 UTC (rev 158929)
@@ -0,0 +1,7 @@
+description("Tests to make sure we correctly handle iterating a map when the first entry is a hole");
+var map0= new Map;
+map0.set(125, {});
+map0.delete(125);
+map0.forEach(function(node) {
+ print(node);
+});
Modified: trunk/Source/_javascript_Core/ChangeLog (158928 => 158929)
--- trunk/Source/_javascript_Core/ChangeLog 2013-11-08 18:30:29 UTC (rev 158928)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-11-08 18:47:26 UTC (rev 158929)
@@ -1,3 +1,20 @@
+2013-11-08 Oliver Hunt <[email protected]>
+
+ Map.forEach crashes on deleted values
+ https://bugs.webkit.org/show_bug.cgi?id=124017
+
+ Reviewed by Ryosuke Niwa.
+
+ MapData iterator did not consider the case of the first entries
+ being holes. To fix this I've refactored iteration so that we
+ can perform an initialisation increment on construction, whle
+ retaining the useful assertion in MapData::const_iterator::operator++
+
+ * runtime/MapData.h:
+ (JSC::MapData::const_iterator::operator++):
+ (JSC::MapData::const_iterator::internalIncrement):
+ (JSC::MapData::const_iterator::const_iterator):
+
2013-11-08 Julien Brianceau <[email protected]>
REGRESSION(r158883): Fix crashes for ARM architecture.
Modified: trunk/Source/_javascript_Core/runtime/MapData.h (158928 => 158929)
--- trunk/Source/_javascript_Core/runtime/MapData.h 2013-11-08 18:30:29 UTC (rev 158928)
+++ trunk/Source/_javascript_Core/runtime/MapData.h 2013-11-08 18:47:26 UTC (rev 158929)
@@ -44,7 +44,7 @@
const WTF::KeyValuePair<JSValue, JSValue> operator*() const;
JSValue key() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
JSValue value() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
- void operator++();
+ void operator++() { ASSERT(!atEnd()); internalIncrement(); }
static const_iterator end(const MapData*);
bool operator!=(const const_iterator& other);
bool operator==(const const_iterator& other);
@@ -56,6 +56,7 @@
// We need this in order to keep the common case (eg. iter != end())
// fast.
bool atEnd() const { return static_cast<size_t>(m_index) >= static_cast<size_t>(m_mapData->m_size); }
+ void internalIncrement();
const MapData* m_mapData;
int32_t m_index;
};
@@ -166,9 +167,8 @@
value = jsNumber(i);
}
-ALWAYS_INLINE void MapData::const_iterator::operator++()
+ALWAYS_INLINE void MapData::const_iterator::internalIncrement()
{
- ASSERT(!atEnd());
Entry* entries = m_mapData->m_entries;
size_t index = m_index + 1;
size_t end = m_mapData->m_size;
@@ -179,9 +179,9 @@
ALWAYS_INLINE MapData::const_iterator::const_iterator(const MapData* mapData)
: m_mapData(mapData)
- , m_index(0)
+ , m_index(-1)
{
- m_mapData->m_iteratorCount++;
+ internalIncrement();
}
ALWAYS_INLINE MapData::const_iterator::~const_iterator()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
