Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (242006 => 242007)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2019-02-24 01:07:02 UTC (rev 242006)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2019-02-24 01:07:11 UTC (rev 242007)
@@ -1,3 +1,16 @@
+2019-02-15 Mark Lam <mark....@apple.com>
+
+ SamplingProfiler::stackTracesAsJSON() should escape strings.
+ https://bugs.webkit.org/show_bug.cgi?id=194649
+ <rdar://problem/48072386>
+
+ Reviewed by Saam Barati.
+
+ * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
+ * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
+ * stress/type-profiler-with-double-quote-in-field-name.js: Added.
+ * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
+
2019-02-15 Robin Morisset <rmoris...@apple.com>
CodeBlock::jettison should clear related watchpoints
https://bugs.webkit.org/show_bug.cgi?id=194544
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js (0 => 242007)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js 2019-02-24 01:07:11 UTC (rev 242007)
@@ -0,0 +1,20 @@
+//@ runDefault("--useConcurrentJIT=false")
+
+function foo() {
+ let obj = {};
+ for (let i = 0; i < 10; ++i)
+ obj[i + 'p'] = i;
+}
+noInline(foo);
+
+function test() {
+ for (let i = 0; i < 1000; ++i) {
+ foo();
+ let stacktraces = samplingProfilerStackTraces();
+ for (let stackTrace of stacktraces) { }
+ }
+}
+
+startSamplingProfiler();
+foo.displayName = '"';
+test();
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-constructor-name.js (0 => 242007)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-constructor-name.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-constructor-name.js 2019-02-24 01:07:11 UTC (rev 242007)
@@ -0,0 +1,17 @@
+//@ runDefault("--useTypeProfiler=true")
+
+var findTypeForExpression = $vm.findTypeForExpression;
+
+function wrapper(x) {
+ class Base {
+ constructor() { }
+ };
+
+ var baseInstance = new Base;
+ Base.displayName = '"';
+}
+wrapper();
+
+var types = findTypeForExpression(wrapper, "baseInstance = new Base");
+JSON.stringify(types)
+
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-field-name.js (0 => 242007)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-field-name.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-field-name.js 2019-02-24 01:07:11 UTC (rev 242007)
@@ -0,0 +1,17 @@
+//@ runDefault("--useTypeProfiler=true")
+
+var findTypeForExpression = $vm.findTypeForExpression;
+
+function wrapper(x) {
+ class Base {
+ constructor() {
+ this['"'] = true;
+ }
+ };
+
+ var baseInstance = new Base;
+}
+wrapper();
+
+var types = findTypeForExpression(wrapper, "baseInstance = new Base");
+JSON.stringify(types)
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-optional-field-name.js (0 => 242007)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-optional-field-name.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/type-profiler-with-double-quote-in-optional-field-name.js 2019-02-24 01:07:11 UTC (rev 242007)
@@ -0,0 +1,23 @@
+//@ runDefault("--useTypeProfiler=true")
+
+var findTypeForExpression = $vm.findTypeForExpression;
+
+function wrapper() {
+ var x;
+ var Proto = function() {};
+ var oldProto;
+ for (var i = 0; i < 100; i++) {
+ // Make sure we get a new prototype chain on each assignment to x because objects with shared prototype chains will be merged.
+ x = new Proto;
+ x['"' + i + '"'] = 20;
+ x = x
+ oldProto = Proto;
+ Proto = function() {};
+ Proto.prototype.__proto__ = oldProto.prototype;
+ }
+ x = {};
+}
+wrapper();
+
+var types = findTypeForExpression(wrapper, "x;");
+JSON.stringify(types);
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (242006 => 242007)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2019-02-24 01:07:02 UTC (rev 242006)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2019-02-24 01:07:11 UTC (rev 242007)
@@ -1,3 +1,19 @@
+2019-02-15 Mark Lam <mark....@apple.com>
+
+ SamplingProfiler::stackTracesAsJSON() should escape strings.
+ https://bugs.webkit.org/show_bug.cgi?id=194649
+ <rdar://problem/48072386>
+
+ Reviewed by Saam Barati.
+
+ Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
+
+ * runtime/SamplingProfiler.cpp:
+ (JSC::SamplingProfiler::stackTracesAsJSON):
+ * runtime/TypeSet.cpp:
+ (JSC::TypeSet::toJSONString const):
+ (JSC::StructureShape::toJSONString const):
+
2019-02-15 Robin Morisset <rmoris...@apple.com>
CodeBlock::jettison should clear related watchpoints
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/SamplingProfiler.cpp (242006 => 242007)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2019-02-24 01:07:02 UTC (rev 242006)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2019-02-24 01:07:11 UTC (rev 242007)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -895,9 +895,7 @@
loopedOnce = false;
for (StackFrame& stackFrame : stackTrace.frames) {
comma();
- json.append('"');
- json.append(stackFrame.displayNameForJSONTests(m_vm));
- json.append('"');
+ json.appendQuotedJSONString(stackFrame.displayNameForJSONTests(m_vm));
loopedOnce = true;
}
json.append(']');
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/TypeSet.cpp (242006 => 242007)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/TypeSet.cpp 2019-02-24 01:07:02 UTC (rev 242006)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/TypeSet.cpp 2019-02-24 01:07:11 UTC (rev 242007)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014, 2015 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2014-2019 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -253,9 +253,7 @@
json.append('{');
json.appendLiteral("\"displayTypeName\":");
- json.append('"');
- json.append(displayName());
- json.append('"');
+ json.appendQuotedJSONString(displayName());
json.append(',');
json.appendLiteral("\"primitiveTypeNames\":");
@@ -442,9 +440,7 @@
json.append('{');
json.appendLiteral("\"constructorName\":");
- json.append('"');
- json.append(m_constructorName);
- json.append('"');
+ json.appendQuotedJSONString(m_constructorName);
json.append(',');
json.appendLiteral("\"isInDictionaryMode\":");
@@ -463,9 +459,7 @@
hasAnItem = true;
String fieldName((*it).get());
- json.append('"');
- json.append(fieldName);
- json.append('"');
+ json.appendQuotedJSONString(fieldName);
}
json.append(']');
json.append(',');
@@ -479,9 +473,7 @@
hasAnItem = true;
String fieldName((*it).get());
- json.append('"');
- json.append(fieldName);
- json.append('"');
+ json.appendQuotedJSONString(fieldName);
}
json.append(']');
json.append(',');