[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
oliver at apple.com
oliver at apple.com
Wed Dec 22 14:43:14 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 7fff1ea7e5b46f2d79284e08ab475908ae659317
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Oct 18 16:47:37 2010 +0000
2010-10-18 Oliver Hunt <oliver at apple.com>
Reviewed by Sam Weinig.
Strict mode: JIT doesn't check for |this| being an immediate before dereferencing
https://bugs.webkit.org/show_bug.cgi?id=47826
There's no guarantee that |this| will be a cell in a strict mode function, so
don't claim that it is.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::isKnownNotImmediate):
2010-10-18 Oliver Hunt <oliver at apple.com>
Reviewed by Sam Weinig.
Strict mode: JIT doesn't check for |this| being an immediate before dereferencing
https://bugs.webkit.org/show_bug.cgi?id=47826
Add tests for accessing properties on |this| when |this| is not an object
* fast/js/basic-strict-mode-expected.txt:
* fast/js/script-tests/basic-strict-mode.js:
(testThisDotAccess):
(testThisBracketAccess):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69965 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index a2fbd07..db03ecb 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-18 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Strict mode: JIT doesn't check for |this| being an immediate before dereferencing
+ https://bugs.webkit.org/show_bug.cgi?id=47826
+
+ There's no guarantee that |this| will be a cell in a strict mode function, so
+ don't claim that it is.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::isKnownNotImmediate):
+
2010-10-18 Zoltan Herczeg <zherczeg at webkit.org>
Reviewed by Oliver Hunt.
diff --git a/JavaScriptCore/bytecode/CodeBlock.h b/JavaScriptCore/bytecode/CodeBlock.h
index a5f7d28..e4ebeb8 100644
--- a/JavaScriptCore/bytecode/CodeBlock.h
+++ b/JavaScriptCore/bytecode/CodeBlock.h
@@ -301,7 +301,7 @@ namespace JSC {
inline bool isKnownNotImmediate(int index)
{
- if (index == m_thisRegister)
+ if (index == m_thisRegister && !m_isStrictMode)
return true;
if (isConstantRegisterIndex(index))
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b1f2cb3..bb26421 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-18 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Strict mode: JIT doesn't check for |this| being an immediate before dereferencing
+ https://bugs.webkit.org/show_bug.cgi?id=47826
+
+ Add tests for accessing properties on |this| when |this| is not an object
+
+ * fast/js/basic-strict-mode-expected.txt:
+ * fast/js/script-tests/basic-strict-mode.js:
+ (testThisDotAccess):
+ (testThisBracketAccess):
+
2010-10-18 Zoltan Herczeg <zherczeg at webkit.org>
Reviewed by Oliver Hunt.
diff --git a/LayoutTests/fast/js/basic-strict-mode-expected.txt b/LayoutTests/fast/js/basic-strict-mode-expected.txt
index ccad7c1..e4c2012 100644
--- a/LayoutTests/fast/js/basic-strict-mode-expected.txt
+++ b/LayoutTests/fast/js/basic-strict-mode-expected.txt
@@ -9,6 +9,18 @@ PASS testThis.call(true) is true
PASS testThis.call(false) is false
PASS testThis.call(undefined) is undefined
PASS testThis.call('a string') is 'a string'
+PASS testThisDotAccess.call('a string') is 'a string'.length
+PASS testThisDotAccess.call(null) threw exception TypeError: Result of expression 'this' [null] is not an object..
+PASS testThisDotAccess.call(undefined) threw exception TypeError: Result of expression 'this' [undefined] is not an object..
+PASS testThisDotAccess.call(true) is undefined.
+PASS testThisDotAccess.call(false) is undefined.
+PASS testThisDotAccess.call(1) is undefined.
+PASS testThisBracketAccess.call('a string', 'length') is 'a string'.length
+PASS testThisBracketAccess.call(null, 'length') threw exception TypeError: Result of expression 'this' [null] is not an object..
+PASS testThisBracketAccess.call(undefined, 'length') threw exception TypeError: Result of expression 'this' [undefined] is not an object..
+PASS testThisBracketAccess.call(true, 'length') is undefined.
+PASS testThisBracketAccess.call(false, 'length') is undefined.
+PASS testThisBracketAccess.call(1, 'length') is undefined.
PASS testGlobalAccess() is null
PASS (function eval(){'use strict';}) threw exception SyntaxError: Parse error.
PASS (function (eval){'use strict';}) threw exception SyntaxError: Parse error.
diff --git a/LayoutTests/fast/js/script-tests/basic-strict-mode.js b/LayoutTests/fast/js/script-tests/basic-strict-mode.js
index 7044746..f6f485d 100644
--- a/LayoutTests/fast/js/script-tests/basic-strict-mode.js
+++ b/LayoutTests/fast/js/script-tests/basic-strict-mode.js
@@ -5,6 +5,14 @@ function testThis() {
"use strict";
return this;
}
+function testThisDotAccess() {
+ "use strict";
+ return this.length;
+}
+function testThisBracketAccess(prop) {
+ "use strict";
+ return this[prop];
+}
function testGlobalAccess() {
return testThis();
}
@@ -14,6 +22,19 @@ shouldBe("testThis.call(true)", "true");
shouldBe("testThis.call(false)", "false");
shouldBe("testThis.call(undefined)", "undefined");
shouldBe("testThis.call('a string')", "'a string'");
+shouldBe("testThisDotAccess.call('a string')", "'a string'.length");
+shouldThrow("testThisDotAccess.call(null)");
+shouldThrow("testThisDotAccess.call(undefined)");
+shouldBeUndefined("testThisDotAccess.call(true)");
+shouldBeUndefined("testThisDotAccess.call(false)");
+shouldBeUndefined("testThisDotAccess.call(1)");
+shouldBe("testThisBracketAccess.call('a string', 'length')", "'a string'.length");
+shouldThrow("testThisBracketAccess.call(null, 'length')");
+shouldThrow("testThisBracketAccess.call(undefined, 'length')");
+shouldBeUndefined("testThisBracketAccess.call(true, 'length')");
+shouldBeUndefined("testThisBracketAccess.call(false, 'length')");
+shouldBeUndefined("testThisBracketAccess.call(1, 'length')");
+
shouldBe("testGlobalAccess()", "null");
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list