[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

commit-queue at webkit.org commit-queue at webkit.org
Wed Dec 22 11:45:00 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 76e62e13e2802318226f73a10227fe3aa96e0497
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Aug 5 19:33:42 2010 +0000

    2010-08-05  Michael Saboff  <msaboff at apple.com>
    
            Reviewed by Darin Adler.
    
            Fixed https://bugs.webkit.org/show_bug.cgi?id=43401 where array
            content aren't properly initialized as part of unshift.
    
            * runtime/JSArray.cpp:
            (JSC::JSArray::unshiftCount):
    2010-08-05  Michael Saboff  <msaboff at apple.com>
    
            Reviewed by Darin Adler.
    
            New regression tests added as part of unshift fix for bug described
            inhttps://bugs.webkit.org/show_bug.cgi?id=43401.
    
            * fast/js/script-tests/unshift-multi.js: Added.
            * fast/js/unshift-multi-expected.txt: Added.
            * fast/js/unshift-multi.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64773 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 8797655..655e8aa 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,13 @@
+2010-08-05  Michael Saboff  <msaboff at apple.com>
+
+        Reviewed by Darin Adler.
+
+        Fixed https://bugs.webkit.org/show_bug.cgi?id=43401 where array 
+        content aren't properly initialized as part of unshift.  
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCount):
+
 2010-08-05  Jian Li  <jianli at chromium.org>
 
         Reviewed by David Levin.
diff --git a/JavaScriptCore/runtime/JSArray.cpp b/JavaScriptCore/runtime/JSArray.cpp
index acbf594..98ea37f 100644
--- a/JavaScriptCore/runtime/JSArray.cpp
+++ b/JavaScriptCore/runtime/JSArray.cpp
@@ -850,10 +850,13 @@ void JSArray::unshiftCount(ExecState* exec, int count)
         storage = reinterpret_cast<ArrayStorage*>(newBaseStorage);
         setArrayStorage(storage);
         m_vectorLength += count;
-    } else if ((!m_indexBias) && (!increaseVectorPrefixLength(m_vectorLength + count))) {
+    } else if (!increaseVectorPrefixLength(m_vectorLength + count)) {
         throwOutOfMemoryError(exec);
         return;
     }
+
+    for (int i = 0; i < count; i++)
+        m_vector[i] = JSValue();
 }
 
 void JSArray::markChildren(MarkStack& markStack)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5399078..7b826e6 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-08-05  Michael Saboff  <msaboff at apple.com>
+
+        Reviewed by Darin Adler.
+
+        New regression tests added as part of unshift fix for bug described
+        inhttps://bugs.webkit.org/show_bug.cgi?id=43401.
+
+        * fast/js/script-tests/unshift-multi.js: Added.
+        * fast/js/unshift-multi-expected.txt: Added.
+        * fast/js/unshift-multi.html: Added.
+
 2010-08-05  Martin Robinson  <mrobinson at igalia.com>
 
         [GTK] Some sputnik tests fail
diff --git a/LayoutTests/fast/js/script-tests/unshift-multi.js b/LayoutTests/fast/js/script-tests/unshift-multi.js
new file mode 100644
index 0000000..bbd5031
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/unshift-multi.js
@@ -0,0 +1,45 @@
+description(
+'Test for regression against <a href="https://bugs.webkit.org/show_bug.cgi?id=43401">Calling unshift passing more than 1 argument causes array corruption.  It also tests some other unshift combinations.'
+);
+
+
+function unshift1(n) {
+    var anArray = [];
+    for (var i = 0; i < n; i++) {
+        anArray.unshift('a');
+    }
+    
+    return anArray;
+}
+
+function unshift2(n) {
+    var anArray = [];
+    for (var i = 0; i < n; i++) {
+        anArray.unshift('a', 'b');
+    }
+
+    return anArray;
+}
+
+function unshift5(n) {
+    var anArray = [];
+    for (var i = 0; i < n; i++) {
+        anArray.unshift('a', 'b', 'c', 'd', 'e');
+    }
+
+    return anArray;
+}
+
+
+shouldBe('unshift1(1)', '["a"]');
+shouldBe('unshift1(2)', '["a", "a"]');
+shouldBe('unshift1(4)', '["a", "a", "a", "a"]');
+shouldBe('unshift2(1)', '["a", "b"]');
+shouldBe('unshift2(2)', '["a", "b", "a", "b"]');
+shouldBe('unshift2(4)', '["a", "b", "a", "b", "a", "b", "a", "b"]');
+shouldBe('unshift2(10)', '["a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b"]');
+shouldBe('unshift5(1)', '["a", "b", "c", "d", "e"]');
+shouldBe('unshift5(2)', '["a", "b", "c", "d", "e", "a", "b", "c", "d", "e"]');
+shouldBe('unshift5(6)', '["a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e"]');
+                            
+var successfullyParsed = true;
diff --git a/LayoutTests/fast/js/unshift-multi-expected.txt b/LayoutTests/fast/js/unshift-multi-expected.txt
new file mode 100644
index 0000000..8f579f9
--- /dev/null
+++ b/LayoutTests/fast/js/unshift-multi-expected.txt
@@ -0,0 +1,19 @@
+Test for regression against Calling unshift passing more than 1 argument causes array corruption. It also tests some other unshift combinations.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS unshift1(1) is ["a"]
+PASS unshift1(2) is ["a", "a"]
+PASS unshift1(4) is ["a", "a", "a", "a"]
+PASS unshift2(1) is ["a", "b"]
+PASS unshift2(2) is ["a", "b", "a", "b"]
+PASS unshift2(4) is ["a", "b", "a", "b", "a", "b", "a", "b"]
+PASS unshift2(10) is ["a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b", "a", "b"]
+PASS unshift5(1) is ["a", "b", "c", "d", "e"]
+PASS unshift5(2) is ["a", "b", "c", "d", "e", "a", "b", "c", "d", "e"]
+PASS unshift5(6) is ["a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e", "a", "b", "c", "d", "e"]
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/unshift-multi.html b/LayoutTests/fast/js/unshift-multi.html
new file mode 100644
index 0000000..c842e1c
--- /dev/null
+++ b/LayoutTests/fast/js/unshift-multi.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/unshift-multi.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list