[webkit-changes] [129691] trunk

Wed, 26 Sep 2012 13:07:02 -0700

Title: [129691] trunk
Revision
129691
Author
[email protected]
Date
2012-09-26 13:08:06 -0700 (Wed, 26 Sep 2012)

Log Message

JSObject::ensureArrayStorage() ignores the possibility that extensions have been prevented
https://bugs.webkit.org/show_bug.cgi?id=97719

Reviewed by Gavin Barraclough.

Source/_javascript_Core: 

* runtime/JSObject.cpp:
(JSC::JSObject::ensureArrayStorageSlow):
(JSC):
* runtime/JSObject.h:
(JSC::JSObject::ensureArrayStorage):
(JSObject):

LayoutTests: 

* fast/js/dfg-arrayify-when-late-prevent-extensions-expected.txt: Added.
* fast/js/dfg-arrayify-when-late-prevent-extensions.html: Added.
* fast/js/dfg-arrayify-when-prevent-extensions-expected.txt: Added.
* fast/js/dfg-arrayify-when-prevent-extensions.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-arrayify-when-late-prevent-extensions.js: Added.
(foo):
* fast/js/script-tests/dfg-arrayify-when-prevent-extensions.js: Added.
(foo):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (129690 => 129691)


--- trunk/LayoutTests/ChangeLog	2012-09-26 20:06:01 UTC (rev 129690)
+++ trunk/LayoutTests/ChangeLog	2012-09-26 20:08:06 UTC (rev 129691)
@@ -1,3 +1,20 @@
+2012-09-26  Filip Pizlo  <[email protected]>
+
+        JSObject::ensureArrayStorage() ignores the possibility that extensions have been prevented
+        https://bugs.webkit.org/show_bug.cgi?id=97719
+
+        Reviewed by Gavin Barraclough.
+
+        * fast/js/dfg-arrayify-when-late-prevent-extensions-expected.txt: Added.
+        * fast/js/dfg-arrayify-when-late-prevent-extensions.html: Added.
+        * fast/js/dfg-arrayify-when-prevent-extensions-expected.txt: Added.
+        * fast/js/dfg-arrayify-when-prevent-extensions.html: Added.
+        * fast/js/jsc-test-list:
+        * fast/js/script-tests/dfg-arrayify-when-late-prevent-extensions.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-arrayify-when-prevent-extensions.js: Added.
+        (foo):
+
 2012-09-26  Christophe Dumez  <[email protected]>
 
         [EFL] Volume button should not be shown for videos without audio

Added: trunk/LayoutTests/fast/js/dfg-arrayify-when-late-prevent-extensions-expected.txt (0 => 129691)


--- trunk/LayoutTests/fast/js/dfg-arrayify-when-late-prevent-extensions-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-arrayify-when-late-prevent-extensions-expected.txt	2012-09-26 20:08:06 UTC (rev 129691)
@@ -0,0 +1,209 @@
+Tests that Arraify does good things when Object.preventExtensions() has been called.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is 42
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-arrayify-when-late-prevent-extensions.html (0 => 129691)


--- trunk/LayoutTests/fast/js/dfg-arrayify-when-late-prevent-extensions.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-arrayify-when-late-prevent-extensions.html	2012-09-26 20:08:06 UTC (rev 129691)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/dfg-arrayify-when-prevent-extensions-expected.txt (0 => 129691)


--- trunk/LayoutTests/fast/js/dfg-arrayify-when-prevent-extensions-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-arrayify-when-prevent-extensions-expected.txt	2012-09-26 20:08:06 UTC (rev 129691)
@@ -0,0 +1,209 @@
+Tests that Arraify does good things when Object.preventExtensions() has been called.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS foo(o) is void 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-arrayify-when-prevent-extensions.html (0 => 129691)


--- trunk/LayoutTests/fast/js/dfg-arrayify-when-prevent-extensions.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-arrayify-when-prevent-extensions.html	2012-09-26 20:08:06 UTC (rev 129691)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Modified: trunk/LayoutTests/fast/js/jsc-test-list (129690 => 129691)


--- trunk/LayoutTests/fast/js/jsc-test-list	2012-09-26 20:06:01 UTC (rev 129690)
+++ trunk/LayoutTests/fast/js/jsc-test-list	2012-09-26 20:08:06 UTC (rev 129691)
@@ -79,6 +79,8 @@
 fast/js/dfg-arguments-osr-exit
 fast/js/dfg-arguments-out-of-bounds
 fast/js/dfg-arguments-unexpected-escape
+fast/js/dfg-arrayify-when-late-prevent-extensions
+fast/js/dfg-arrayify-when-prevent-extensions
 fast/js/dfg-array-length-dead
 fast/js/dfg-array-pop-side-effects
 fast/js/dfg-array-push-bad-time

Added: trunk/LayoutTests/fast/js/script-tests/dfg-arrayify-when-late-prevent-extensions.js (0 => 129691)


--- trunk/LayoutTests/fast/js/script-tests/dfg-arrayify-when-late-prevent-extensions.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-arrayify-when-late-prevent-extensions.js	2012-09-26 20:08:06 UTC (rev 129691)
@@ -0,0 +1,19 @@
+description(
+"Tests that Arraify does good things when Object.preventExtensions() has been called."
+);
+
+function foo(o) {
+    o[0] = 42;
+    return o[0];
+}
+
+for (var i = 0; i < 200; ++i) {
+    var o = {};
+    var expected;
+    if (i >= 150) {
+        Object.preventExtensions(o);
+        expected = "void 0";
+    } else
+        expected = "42";
+    shouldBe("foo(o)", expected);
+}

Added: trunk/LayoutTests/fast/js/script-tests/dfg-arrayify-when-prevent-extensions.js (0 => 129691)


--- trunk/LayoutTests/fast/js/script-tests/dfg-arrayify-when-prevent-extensions.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-arrayify-when-prevent-extensions.js	2012-09-26 20:08:06 UTC (rev 129691)
@@ -0,0 +1,14 @@
+description(
+"Tests that Arraify does good things when Object.preventExtensions() has been called."
+);
+
+function foo(o) {
+    o[0] = 42;
+    return o[0];
+}
+
+for (var i = 0; i < 200; ++i) {
+    var o = {};
+    Object.preventExtensions(o);
+    shouldBe("foo(o)", "void 0");
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (129690 => 129691)


--- trunk/Source/_javascript_Core/ChangeLog	2012-09-26 20:06:01 UTC (rev 129690)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-09-26 20:08:06 UTC (rev 129691)
@@ -1,3 +1,17 @@
+2012-09-26  Filip Pizlo  <[email protected]>
+
+        JSObject::ensureArrayStorage() ignores the possibility that extensions have been prevented
+        https://bugs.webkit.org/show_bug.cgi?id=97719
+
+        Reviewed by Gavin Barraclough.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ensureArrayStorageSlow):
+        (JSC):
+        * runtime/JSObject.h:
+        (JSC::JSObject::ensureArrayStorage):
+        (JSObject):
+
 2012-09-26  Gavin Barraclough  <[email protected]>
 
         Generalize JSGlobalThis as JSProxy

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (129690 => 129691)


--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-09-26 20:06:01 UTC (rev 129690)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-09-26 20:08:06 UTC (rev 129691)
@@ -490,6 +490,20 @@
     return createArrayStorage(globalData, 0, BASE_VECTOR_LEN);
 }
 
+ArrayStorage* JSObject::ensureArrayStorageSlow(JSGlobalData& globalData)
+{
+    switch (structure()->indexingType()) {
+    case ALL_BLANK_INDEXING_TYPES:
+        if (UNLIKELY(indexingShouldBeSparse()))
+            return ensureArrayStorageExistsAndEnterDictionaryIndexingMode(globalData);
+        return createInitialArrayStorage(globalData);
+        
+    default:
+        CRASH();
+        return 0;
+    }
+}
+
 ArrayStorage* JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode(JSGlobalData& globalData)
 {
     switch (structure()->indexingType()) {

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (129690 => 129691)


--- trunk/Source/_javascript_Core/runtime/JSObject.h	2012-09-26 20:06:01 UTC (rev 129690)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2012-09-26 20:08:06 UTC (rev 129691)
@@ -534,17 +534,10 @@
         // already.
         ArrayStorage* ensureArrayStorage(JSGlobalData& globalData)
         {
-            switch (structure()->indexingType()) {
-            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+            if (LIKELY(hasArrayStorage(structure()->indexingType())))
                 return m_butterfly->arrayStorage();
-                
-            case ALL_BLANK_INDEXING_TYPES:
-                return createInitialArrayStorage(globalData);
-                
-            default:
-                ASSERT_NOT_REACHED();
-                return 0;
-            }
+            
+            return ensureArrayStorageSlow(globalData);
         }
         
         static size_t offsetOfInlineStorage();
@@ -658,6 +651,8 @@
 
         JS_EXPORT_PRIVATE bool getOwnPropertySlotSlow(ExecState*, PropertyName, PropertySlot&);
         
+        ArrayStorage* ensureArrayStorageSlow(JSGlobalData&);
+        
     protected:
         Butterfly* m_butterfly;
     };

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to