[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
barraclough at apple.com
barraclough at apple.com
Thu Apr 8 00:30:35 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 20dbe10d01c4c01199b61343d0a032f071d53ea2
Author: barraclough at apple.com <barraclough at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Dec 10 01:44:20 2009 +0000
JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=32228
Make destruction of ropes non-recursive to prevent stack exhaustion.
Also, pass a UString& into initializeFiber rather than a Ustring::Rep*,
since the Rep is not being ref counted this could result in usage of a
Rep with refcount zero (where the Rep comes from a temporary UString
returned from a function).
Reviewed by Oliver Hunt.
* runtime/JSString.cpp:
(JSC::JSString::Rope::destructNonRecursive):
(JSC::JSString::Rope::~Rope):
* runtime/JSString.h:
(JSC::JSString::Rope::initializeFiber):
* runtime/Operations.h:
(JSC::concatenateStrings):
LayoutTests: https://bugs.webkit.org/show_bug.cgi?id=32228
Reenabling tests.
Reviewed by Oliver Hunt.
* platform/win/Skipped:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51933 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 7940139..aa0a0b3 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,22 @@
+2009-12-09 Gavin Barraclough <barraclough at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ https://bugs.webkit.org/show_bug.cgi?id=32228
+ Make destruction of ropes non-recursive to prevent stack exhaustion.
+ Also, pass a UString& into initializeFiber rather than a Ustring::Rep*,
+ since the Rep is not being ref counted this could result in usage of a
+ Rep with refcount zero (where the Rep comes from a temporary UString
+ returned from a function).
+
+ * runtime/JSString.cpp:
+ (JSC::JSString::Rope::destructNonRecursive):
+ (JSC::JSString::Rope::~Rope):
+ * runtime/JSString.h:
+ (JSC::JSString::Rope::initializeFiber):
+ * runtime/Operations.h:
+ (JSC::concatenateStrings):
+
2009-12-09 Zoltan Herczeg <zherczeg at inf.u-szeged.hu>
Reviewed by Eric Seidel.
diff --git a/JavaScriptCore/runtime/JSString.cpp b/JavaScriptCore/runtime/JSString.cpp
index 90a2d32..c668928 100644
--- a/JavaScriptCore/runtime/JSString.cpp
+++ b/JavaScriptCore/runtime/JSString.cpp
@@ -31,18 +31,41 @@
namespace JSC {
-JSString::Rope::~Rope()
+void JSString::Rope::destructNonRecursive()
{
- for (unsigned i = 0; i < m_ropeLength; ++i) {
- Fiber& fiber = m_fibers[i];
- if (fiber.isRope())
- fiber.rope()->deref();
- else
- fiber.string()->deref();
- fiber = Fiber(reinterpret_cast<UString::Rep*>(0xfeedbeee));
+ Vector<Rope*, 32> workQueue;
+ Rope* rope = this;
+
+ while (true) {
+ unsigned length = rope->ropeLength();
+ for (unsigned i = 0; i < length; ++i) {
+ Fiber& fiber = rope->fibers(i);
+ if (fiber.isString())
+ fiber.string()->deref();
+ else {
+ Rope* nextRope = fiber.rope();
+ if (nextRope->hasOneRef())
+ workQueue.append(nextRope);
+ else
+ nextRope->deref();
+ }
+ }
+ if (rope != this)
+ fastFree(rope);
+
+ if (workQueue.isEmpty())
+ return;
+
+ rope = workQueue.last();
+ workQueue.removeLast();
}
}
+JSString::Rope::~Rope()
+{
+ destructNonRecursive();
+}
+
#define ROPE_COPY_CHARS_INLINE_CUTOFF 20
static inline void copyChars(UChar* destination, const UChar* source, unsigned numCharacters)
diff --git a/JavaScriptCore/runtime/JSString.h b/JavaScriptCore/runtime/JSString.h
index 5b183e9..633dd98 100644
--- a/JavaScriptCore/runtime/JSString.h
+++ b/JavaScriptCore/runtime/JSString.h
@@ -95,12 +95,14 @@ namespace JSC {
}
~Rope();
+ void destructNonRecursive();
- void initializeFiber(unsigned index, UString::Rep* string)
+ void initializeFiber(unsigned index, const UString& string)
{
- string->ref();
- m_fibers[index] = Fiber(string);
- m_stringLength += string->len;
+ UString::Rep* rep = string.rep();
+ rep->ref();
+ m_fibers[index] = Fiber(rep);
+ m_stringLength += rep->len;
}
void initializeFiber(unsigned index, Rope* rope)
{
@@ -113,7 +115,7 @@ namespace JSC {
if (jsString->isRope())
initializeFiber(index, jsString->rope());
else
- initializeFiber(index, jsString->string().rep());
+ initializeFiber(index, jsString->string());
}
unsigned ropeLength() { return m_ropeLength; }
diff --git a/JavaScriptCore/runtime/Operations.h b/JavaScriptCore/runtime/Operations.h
index 12cb157..035adc9 100644
--- a/JavaScriptCore/runtime/Operations.h
+++ b/JavaScriptCore/runtime/Operations.h
@@ -317,7 +317,7 @@ namespace JSC {
if (LIKELY(v.isString()))
rope->initializeFiber(i, asString(v));
else
- rope->initializeFiber(i, v.toString(callFrame).rep());
+ rope->initializeFiber(i, v.toString(callFrame));
}
JSGlobalData* globalData = &callFrame->globalData();
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8251047..0fcf70d 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2009-12-09 Gavin Barraclough <barraclough at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ https://bugs.webkit.org/show_bug.cgi?id=32228
+ Reenabling tests.
+
+ * platform/win/Skipped:
+
2009-12-09 Gustavo Noronha Silva <gustavo.noronha at collabora.co.uk>
Skip a failing test that needs DRT support to override standard
diff --git a/LayoutTests/platform/win/Skipped b/LayoutTests/platform/win/Skipped
index 99838b3..6aebae4 100644
--- a/LayoutTests/platform/win/Skipped
+++ b/LayoutTests/platform/win/Skipped
@@ -719,11 +719,5 @@ inspector/timeline-network-resource.html
# This test requires ogg codecs
media/media-can-play-ogg.html
-# Broken by JSC regression (bug filed: https://bugs.webkit.org/show_bug.cgi?id=32228)
-fast/js/excessive-comma-usage.html
-fast/js/math-transforms.html
-fast/js/math.html
-fast/js/lastModified.html
-
# This test requires new pywebsocket
websocket/tests/sub-protocol-with-space.html
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list