Diff
Modified: tags/Safari-601.1.1/LayoutTests/ChangeLog (174023 => 174024)
--- tags/Safari-601.1.1/LayoutTests/ChangeLog 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/LayoutTests/ChangeLog 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,3 +1,7 @@
+2014-09-26 Babak Shafiei <[email protected]>
+
+ Roll out r172794. <rdar://problem/18447606>
+
2014-09-22 Gyuyoung Kim <[email protected]>
Unreviewed, EFL gardening. Unskip media test on EFL port. Almost media tests
Modified: tags/Safari-601.1.1/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt (174023 => 174024)
--- tags/Safari-601.1.1/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt 2014-09-26 22:17:52 UTC (rev 174024)
@@ -11,6 +11,7 @@
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)
Modified: tags/Safari-601.1.1/Source/_javascript_Core/ChangeLog (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/ChangeLog 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/ChangeLog 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,3 +1,7 @@
+2014-09-26 Babak Shafiei <[email protected]>
+
+ Roll out r172794. <rdar://problem/18447606>
+
2014-09-22 Filip Pizlo <[email protected]>
FTL allocatePropertyStorage code should involve less copy-paste
Modified: tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1422,6 +1422,9 @@
{
for (size_t i = m_forInContextStack.size(); i > 0; i--) {
ForInContext* context = m_forInContextStack[i - 1].get();
+ if (context->base() != base)
+ continue;
+
if (context->local() != property)
continue;
@@ -2583,11 +2586,11 @@
return dst;
}
-void BytecodeGenerator::pushIndexedForInScope(RegisterID* localRegister, RegisterID* indexRegister)
+void BytecodeGenerator::pushIndexedForInScope(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister)
{
if (!localRegister)
return;
- m_forInContextStack.append(std::make_unique<IndexedForInContext>(localRegister, indexRegister));
+ m_forInContextStack.append(std::make_unique<IndexedForInContext>(baseRegister, localRegister, indexRegister));
}
void BytecodeGenerator::popIndexedForInScope(RegisterID* localRegister)
@@ -2597,11 +2600,11 @@
m_forInContextStack.removeLast();
}
-void BytecodeGenerator::pushStructureForInScope(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+void BytecodeGenerator::pushStructureForInScope(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
{
if (!localRegister)
return;
- m_forInContextStack.append(std::make_unique<StructureForInContext>(localRegister, indexRegister, propertyRegister, enumeratorRegister));
+ m_forInContextStack.append(std::make_unique<StructureForInContext>(baseRegister, localRegister, indexRegister, propertyRegister, enumeratorRegister));
}
void BytecodeGenerator::popStructureForInScope(RegisterID* localRegister)
Modified: tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h 2014-09-26 22:17:52 UTC (rev 174024)
@@ -99,8 +99,9 @@
class ForInContext {
public:
- ForInContext(RegisterID* localRegister)
- : m_localRegister(localRegister)
+ ForInContext(RegisterID* baseRegister, RegisterID* localRegister)
+ : m_baseRegister(baseRegister)
+ , m_localRegister(localRegister)
, m_isValid(true)
{
}
@@ -118,17 +119,19 @@
};
virtual ForInContextType type() const = 0;
+ RegisterID* base() const { return m_baseRegister.get(); }
RegisterID* local() const { return m_localRegister.get(); }
private:
+ RefPtr<RegisterID> m_baseRegister;
RefPtr<RegisterID> m_localRegister;
bool m_isValid;
};
class StructureForInContext : public ForInContext {
public:
- StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
- : ForInContext(localRegister)
+ StructureForInContext(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+ : ForInContext(baseRegister, localRegister)
, m_indexRegister(indexRegister)
, m_propertyRegister(propertyRegister)
, m_enumeratorRegister(enumeratorRegister)
@@ -152,8 +155,8 @@
class IndexedForInContext : public ForInContext {
public:
- IndexedForInContext(RegisterID* localRegister, RegisterID* indexRegister)
- : ForInContext(localRegister)
+ IndexedForInContext(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister)
+ : ForInContext(baseRegister, localRegister)
, m_indexRegister(indexRegister)
{
}
@@ -524,9 +527,9 @@
void pushFinallyContext(StatementNode* finallyBlock);
void popFinallyContext();
- void pushIndexedForInScope(RegisterID* local, RegisterID* index);
+ void pushIndexedForInScope(RegisterID* base, RegisterID* local, RegisterID* index);
void popIndexedForInScope(RegisterID* local);
- void pushStructureForInScope(RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
+ void pushStructureForInScope(RegisterID* base, RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
void popStructureForInScope(RegisterID* local);
void invalidateForInContextForLocal(RegisterID* local);
Modified: tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2014-09-26 22:17:52 UTC (rev 174024)
@@ -2070,7 +2070,7 @@
generator.emitToIndexString(propertyName.get(), i.get());
this->emitLoopHeader(generator, propertyName.get());
- generator.pushIndexedForInScope(local.get(), i.get());
+ generator.pushIndexedForInScope(base.get(), local.get(), i.get());
generator.emitNode(dst, m_statement);
generator.popIndexedForInScope(local.get());
@@ -2104,7 +2104,7 @@
this->emitLoopHeader(generator, propertyName.get());
- generator.pushStructureForInScope(local.get(), i.get(), propertyName.get(), structureEnumerator.get());
+ generator.pushStructureForInScope(base.get(), local.get(), i.get(), propertyName.get(), structureEnumerator.get());
generator.emitNode(dst, m_statement);
generator.popStructureForInScope(local.get());
Modified: tags/Safari-601.1.1/Source/_javascript_Core/runtime/JSProxy.cpp (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/runtime/JSProxy.cpp 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/runtime/JSProxy.cpp 2014-09-26 22:17:52 UTC (rev 174024)
@@ -120,17 +120,16 @@
return thisObject->target()->methodTable(exec->vm())->getEnumerableLength(exec, thisObject->target());
}
-void JSProxy::getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode)
+void JSProxy::getStructurePropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
- // Skip the structure loop, since it is invalid for proxies.
+ JSProxy* thisObject = jsCast<JSProxy*>(object);
+ thisObject->target()->methodTable(exec->vm())->getStructurePropertyNames(thisObject->target(), exec, propertyNames, mode);
}
void JSProxy::getGenericPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSProxy* thisObject = jsCast<JSProxy*>(object);
- // Get *all* of the property names, not just the generic ones, since we skipped the structure
- // ones above.
- thisObject->target()->methodTable(exec->vm())->getPropertyNames(thisObject->target(), exec, propertyNames, mode);
+ thisObject->target()->methodTable(exec->vm())->getGenericPropertyNames(thisObject->target(), exec, propertyNames, mode);
}
void JSProxy::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
Deleted: tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned-later-and-change-structure.js (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned-later-and-change-structure.js 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned-later-and-change-structure.js 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,18 +0,0 @@
-function foo(o_) {
- var o = o_;
- var result = 0;
- for (var s in o) {
- result += o[s];
- if (result >= 3)
- o = {0:1, 1:2, b:4, a:3};
- }
- return result;
-}
-
-noInline(foo);
-
-for (var i = 0; i < 10000; ++i) {
- var result = foo({0:0, 1:1, a:2, b:3});
- if (result != 7)
- throw "Error: bad result: " + result;
-}
Deleted: tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned-later.js (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned-later.js 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned-later.js 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,18 +0,0 @@
-function foo(o_) {
- var o = o_;
- var result = 0;
- for (var s in o) {
- result += o[s];
- if (result >= 3)
- o = {0:1, 1:2, a:3, b:4};
- }
- return result;
-}
-
-noInline(foo);
-
-for (var i = 0; i < 10000; ++i) {
- var result = foo({0:0, 1:1, a:2, b:3});
- if (result != 7)
- throw "Error: bad result: " + result;
-}
Deleted: tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned.js (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned.js 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-base-reassigned.js 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,17 +0,0 @@
-function foo(o_) {
- var o = o_;
- var result = 0;
- for (var s in o) {
- result += o[s];
- o = {0:1, 1:2, a:3, b:4};
- }
- return result;
-}
-
-noInline(foo);
-
-for (var i = 0; i < 10000; ++i) {
- var result = foo({0:0, 1:1, a:2, b:3});
- if (result != 9)
- throw "Error: bad result: " + result;
-}
Deleted: tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-proxy-target-changed-structure.js (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-proxy-target-changed-structure.js 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-proxy-target-changed-structure.js 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,32 +0,0 @@
-var theO;
-
-function deleteAll() {
- delete theO.a;
- delete theO.b;
- delete theO.c;
- delete theO.d;
- for (var i = 0; i < 10; ++i)
- theO["i" + i] = 42;
- theO.a = 11;
- theO.b = 12;
- theO.c = 13;
- theO.d = 14;
-}
-
-function foo(o_) {
- var o = o_;
- var result = 0;
- for (var s in o) {
- result += o[s];
- deleteAll();
- }
- return result;
-}
-
-noInline(foo);
-
-for (var i = 0; i < 10000; ++i) {
- var result = foo(createProxy(theO = {a:1, b:2, c:3, d:4}));
- if (result != 1 + 12 + 13 + 14)
- throw "Error: bad result: " + result;
-}
Deleted: tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-proxy.js (174023 => 174024)
--- tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-proxy.js 2014-09-26 22:05:26 UTC (rev 174023)
+++ tags/Safari-601.1.1/Source/_javascript_Core/tests/stress/for-in-proxy.js 2014-09-26 22:17:52 UTC (rev 174024)
@@ -1,16 +0,0 @@
-function foo(o_) {
- var o = o_;
- var result = 0;
- for (var s in o) {
- result += o[s];
- }
- return result;
-}
-
-noInline(foo);
-
-for (var i = 0; i < 10000; ++i) {
- var result = foo(createProxy({a:1, b:2, c:3, d:4}));
- if (result != 1 + 2 + 3 + 4)
- throw "Error: bad result: " + result;
-}
