Title: [182058] trunk
- Revision
- 182058
- Author
- msab...@apple.com
- Date
- 2015-03-27 07:28:34 -0700 (Fri, 27 Mar 2015)
Log Message
Objects with numeric properties intermittently get a phantom 'length' property
https://bugs.webkit.org/show_bug.cgi?id=142792
Reviewed by Csaba Osztrogonác.
Source/_javascript_Core:
Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
test and branch instructions. This function is used for linking tbz/tbnz branches between
two seperately JIT'ed sections of code. Sometime we'd create a bogus tbz instruction in
the failure case checks in the GetById array length stub created for "obj.length" access.
If the failure case code address was at a negative offset from the stub, we'd look for bit 1
being set when we should have been looking for bit 0.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
LayoutTests:
New regression test.
* js/regress-142792-expected.txt: Added.
* js/regress-142792.html: Added.
* js/script-tests/regress-142792.js: Added.
(isArrayLike):
(filter):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (182057 => 182058)
--- trunk/LayoutTests/ChangeLog 2015-03-27 11:08:49 UTC (rev 182057)
+++ trunk/LayoutTests/ChangeLog 2015-03-27 14:28:34 UTC (rev 182058)
@@ -1,3 +1,18 @@
+2015-03-27 Michael Saboff <msab...@apple.com>
+
+ Objects with numeric properties intermittently get a phantom 'length' property
+ https://bugs.webkit.org/show_bug.cgi?id=142792
+
+ Reviewed by Csaba Osztrogonác.
+
+ New regression test.
+
+ * js/regress-142792-expected.txt: Added.
+ * js/regress-142792.html: Added.
+ * js/script-tests/regress-142792.js: Added.
+ (isArrayLike):
+ (filter):
+
2015-03-26 Zalan Bujtas <za...@apple.com>
Inline continuation code should not take anonymous containing wrapper granted.
Added: trunk/LayoutTests/js/regress-142792-expected.txt (0 => 182058)
--- trunk/LayoutTests/js/regress-142792-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-142792-expected.txt 2015-03-27 14:28:34 UTC (rev 182058)
@@ -0,0 +1,10 @@
+Verify that objects with numeric named properties don't set length like an array.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Correct number of iterated keys: 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-142792.html (0 => 182058)
--- trunk/LayoutTests/js/regress-142792.html (rev 0)
+++ trunk/LayoutTests/js/regress-142792.html 2015-03-27 14:28:34 UTC (rev 182058)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-142792.js (0 => 182058)
--- trunk/LayoutTests/js/script-tests/regress-142792.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-142792.js 2015-03-27 14:28:34 UTC (rev 182058)
@@ -0,0 +1,52 @@
+description("Verify that objects with numeric named properties don't set length like an array.");
+
+var numOfIterations = 10000;
+var count = 0;
+var obj = {
+ 1: 'foo',
+ 8: 'bar',
+ 50: 'baz'
+};
+
+var expectedCount = Object.keys(obj).length;
+
+function isArrayLike(collection) {
+ var length = collection && collection.length;
+
+ return typeof length == 'number';
+}
+
+function filter(obj, callback, context) {
+ var results = [];
+ var i, length;
+
+ if (isArrayLike(obj)) {
+ for (i = 0, length = obj.length; i < length; i++) {
+ var value = obj[i];
+ if (callback(value))
+ results.push(value);
+ }
+ } else {
+ for (var key in obj) {
+ var value = obj[key];
+ if (callback(value))
+ results.push(value);
+ }
+ }
+
+ return results;
+}
+
+for (var i = 0; i < numOfIterations; i++) {
+ filter([], function() { return true; });
+}
+
+filter(obj, function() {
+ count++;
+ return true;
+});
+
+if (count !== expectedCount)
+ testFailed("Incorrect number of iterated keys: " + count + ", expected: " + expectedCount);
+else
+ testPassed("Correct number of iterated keys: " + count);
Modified: trunk/Source/_javascript_Core/ChangeLog (182057 => 182058)
--- trunk/Source/_javascript_Core/ChangeLog 2015-03-27 11:08:49 UTC (rev 182057)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-03-27 14:28:34 UTC (rev 182058)
@@ -1,3 +1,20 @@
+2015-03-27 Michael Saboff <msab...@apple.com>
+
+ Objects with numeric properties intermittently get a phantom 'length' property
+ https://bugs.webkit.org/show_bug.cgi?id=142792
+
+ Reviewed by Csaba Osztrogonác.
+
+ Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
+ test and branch instructions. This function is used for linking tbz/tbnz branches between
+ two seperately JIT'ed sections of code. Sometime we'd create a bogus tbz instruction in
+ the failure case checks in the GetById array length stub created for "obj.length" access.
+ If the failure case code address was at a negative offset from the stub, we'd look for bit 1
+ being set when we should have been looking for bit 0.
+
+ * assembler/ARM64Assembler.h:
+ (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
+
2015-03-27 Yusuke Suzuki <utatane....@gmail.com>
Insert exception check around toPropertyKey call
Modified: trunk/Source/_javascript_Core/assembler/ARM64Assembler.h (182057 => 182058)
--- trunk/Source/_javascript_Core/assembler/ARM64Assembler.h 2015-03-27 11:08:49 UTC (rev 182057)
+++ trunk/Source/_javascript_Core/assembler/ARM64Assembler.h 2015-03-27 14:28:34 UTC (rev 182058)
@@ -3237,7 +3237,7 @@
int insn = *static_cast<int*>(address);
op = (insn >> 24) & 0x1;
imm14 = (insn << 13) >> 18;
- bitNumber = static_cast<unsigned>((((insn >> 26) & 0x20)) | ((insn > 19) & 0x1f));
+ bitNumber = static_cast<unsigned>((((insn >> 26) & 0x20)) | ((insn >> 19) & 0x1f));
rt = static_cast<RegisterID>(insn & 0x1f);
return (insn & 0x7e000000) == 0x36000000;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
