[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
barraclough at apple.com
barraclough at apple.com
Wed Dec 22 12:45:35 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit eea8529ad85c2530fc2cab17093abc2e693e54cb
Author: barraclough at apple.com <barraclough at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Aug 29 01:57:06 2010 +0000
Bug 44830 - In Array's prototype functyions we're incorrectly handing large index values
Reviewed by Oliver Hunt.
We are in places casting doubles to unsigneds, and unsigneds to ints, without always check
that the result is within bounds. This is problematic in the case of double-to-unsigned
conversion because we should be saturating to array length.
Also, the error return value from Array.splice should be [], not undefined.
I don't see any security concerns here. These methods are spec'ed in such a way that they
can be applied to non Array objects, so in all cases the (potentially bogus) indices are
being passed to functions that will safely check accesses are within bounds.
JavaScriptCore:
* runtime/ArrayPrototype.cpp:
(JSC::argumentClampedIndexFromStartOrEnd):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncMap):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncForEach):
(JSC::arrayProtoFuncSome):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
* runtime/JSValue.h:
(JSC::JSValue::toUInt32):
LayoutTests:
* fast/js/array-splice-expected.txt:
* fast/js/script-tests/array-splice.js:
* fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.10_Array_prototype_slice/S15.4.4.10_A3_T3-expected.txt:
* fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.2_T3-expected.txt:
* fast/js/sputnik/Implementation_Diagnostics/S15.4.4.12_D1.5_T1-expected.txt:
* ietestcenter/Javascript/15.4.4.15-3-26-expected.txt:
* ietestcenter/Javascript/15.4.4.15-3-27-expected.txt:
* ietestcenter/Javascript/15.4.4.15-5-1-expected.txt:
* ietestcenter/Javascript/15.4.4.15-5-12-expected.txt:
* ietestcenter/Javascript/15.4.4.15-5-14-expected.txt:
* ietestcenter/Javascript/15.4.4.15-5-16-expected.txt:
* ietestcenter/Javascript/15.4.4.15-8-9-expected.txt:
* platform/mac-snowleopard/Skipped:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66318 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 4a3bd4e..1a6a460 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,41 @@
+2010-08-28 Gavin Barraclough <barraclough at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ Bug 44830 - In Array's prototype functyions we're incorrectly handing large index values
+
+ We are in places casting doubles to unsigneds, and unsigneds to ints, without always check
+ that the result is within bounds. This is problematic in the case of double-to-unsigned
+ conversion because we should be saturating to array length.
+
+ Also, the error return value from Array.splice should be [], not undefined.
+
+ I don't see any security concerns here. These methods are spec'ed in such a way that they
+ can be applied to non Array objects, so in all cases the (potentially bogus) indices are
+ being passed to functions that will safely check accesses are within bounds.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::argumentClampedIndexFromStartOrEnd):
+ (JSC::arrayProtoFuncJoin):
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncReverse):
+ (JSC::arrayProtoFuncShift):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSort):
+ (JSC::arrayProtoFuncSplice):
+ (JSC::arrayProtoFuncUnShift):
+ (JSC::arrayProtoFuncFilter):
+ (JSC::arrayProtoFuncMap):
+ (JSC::arrayProtoFuncEvery):
+ (JSC::arrayProtoFuncForEach):
+ (JSC::arrayProtoFuncSome):
+ (JSC::arrayProtoFuncReduce):
+ (JSC::arrayProtoFuncReduceRight):
+ (JSC::arrayProtoFuncIndexOf):
+ (JSC::arrayProtoFuncLastIndexOf):
+ * runtime/JSValue.h:
+ (JSC::JSValue::toUInt32):
+
2010-08-28 Pratik Solanki <psolanki at apple.com>
Reviewed by Dan Bernstein.
diff --git a/JavaScriptCore/runtime/ArrayPrototype.cpp b/JavaScriptCore/runtime/ArrayPrototype.cpp
index e49ca28..28269ff 100644
--- a/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -146,6 +146,20 @@ static void putProperty(ExecState* exec, JSObject* obj, const Identifier& proper
obj->put(exec, propertyName, value, slot);
}
+static unsigned argumentClampedIndexFromStartOrEnd(ExecState* exec, int argument, unsigned length, unsigned undefinedValue = 0)
+{
+ JSValue value = exec->argument(argument);
+ if (value.isUndefined())
+ return undefinedValue;
+
+ double indexDouble = value.toInteger(exec);
+ if (indexDouble < 0) {
+ indexDouble += length;
+ return indexDouble < 0 ? 0 : static_cast<unsigned>(indexDouble);
+ }
+ return indexDouble > length ? length : static_cast<unsigned>(indexDouble);
+}
+
EncodedJSValue JSC_HOST_CALL arrayProtoFuncToString(ExecState* exec)
{
JSValue thisValue = exec->hostThisValue();
@@ -249,8 +263,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncToLocaleString(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
HashSet<JSObject*>& arrayVisitedElements = exec->globalData().arrayVisitedElements;
if (arrayVisitedElements.size() >= MaxSmallThreadReentryDepth) {
@@ -323,7 +336,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
{
JSValue thisValue = exec->hostThisValue();
JSArray* arr = constructEmptyArray(exec);
- int n = 0;
+ unsigned n = 0;
JSValue curArg = thisValue.toThisObject(exec);
size_t i = 0;
size_t argCount = exec->argumentCount();
@@ -389,8 +402,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncPush(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
unsigned middle = length / 2;
@@ -414,8 +426,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue result;
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
@@ -442,43 +453,19 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
// http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
-
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
// We return a new array
JSArray* resObj = constructEmptyArray(exec);
JSValue result = resObj;
- double begin = exec->argument(0).toInteger(exec);
+
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
- if (begin >= 0) {
- if (begin > length)
- begin = length;
- } else {
- begin += length;
- if (begin < 0)
- begin = 0;
- }
- double end;
- if (exec->argument(1).isUndefined())
- end = length;
- else {
- end = exec->argument(1).toInteger(exec);
- if (end < 0) {
- end += length;
- if (end < 0)
- end = 0;
- } else {
- if (end > length)
- end = length;
- }
- }
+ unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
+ unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);
- int n = 0;
- int b = static_cast<int>(begin);
- int e = static_cast<int>(end);
- for (int k = b; k < e; k++, n++) {
+ unsigned n = 0;
+ for (unsigned k = begin; k < end; k++, n++) {
if (JSValue v = getProperty(exec, thisObj, k))
resObj->put(exec, n, v);
}
@@ -488,8 +475,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSort(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -547,29 +533,26 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncSort(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
// 15.4.4.12
- // FIXME: Firefox returns an empty array.
if (!exec->argumentCount())
- return JSValue::encode(jsUndefined());
+ return JSValue::encode(constructEmptyArray(exec));
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
- double relativeBegin = exec->argument(0).toInteger(exec);
- unsigned begin;
- if (relativeBegin < 0) {
- relativeBegin += length;
- begin = (relativeBegin < 0) ? 0 : static_cast<unsigned>(relativeBegin);
- } else
- begin = std::min<unsigned>(static_cast<unsigned>(relativeBegin), length);
-
- unsigned deleteCount;
- if (exec->argumentCount() > 1)
- deleteCount = std::min<int>(std::max<int>(exec->argument(1).toUInt32(exec), 0), length - begin);
- else
- deleteCount = length - begin;
+ unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
+
+ unsigned deleteCount = length - begin;
+ if (exec->argumentCount() > 1) {
+ double deleteDouble = exec->argument(1).toInteger(exec);
+ if (deleteDouble < 0)
+ deleteCount = 0;
+ else if (deleteDouble > length - begin)
+ deleteCount = length - begin;
+ else
+ deleteCount = static_cast<unsigned>(deleteDouble);
+ }
JSArray* resObj = new (exec) JSArray(exec->lexicalGlobalObject()->arrayStructure(), deleteCount, CreateCompact);
JSValue result = resObj;
@@ -616,8 +599,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncUnShift(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
// 15.4.4.13
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
@@ -643,8 +625,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncUnShift(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncFilter(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -702,8 +683,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncFilter(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncMap(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -760,8 +740,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncMap(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -817,8 +796,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncForEach(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -863,8 +841,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncForEach(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -917,8 +894,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduce(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -988,8 +964,7 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduce(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduceRight(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
JSValue function = exec->argument(0);
CallData callData;
@@ -1058,23 +1033,12 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduceRight(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncIndexOf(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
// JavaScript 1.5 Extension by Mozilla
// Documentation: http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Array:indexOf
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
- JSObject* thisObj = thisValue.toThisObject(exec);
-
- unsigned index = 0;
- double d = exec->argument(1).toInteger(exec);
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
- if (d < 0)
- d += length;
- if (d > 0) {
- if (d > length)
- index = length;
- else
- index = static_cast<unsigned>(d);
- }
+ unsigned index = argumentClampedIndexFromStartOrEnd(exec, 1, length);
JSValue searchElement = exec->argument(0);
for (; index < length; ++index) {
@@ -1090,32 +1054,36 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncIndexOf(ExecState* exec)
EncodedJSValue JSC_HOST_CALL arrayProtoFuncLastIndexOf(ExecState* exec)
{
- JSValue thisValue = exec->hostThisValue();
// JavaScript 1.6 Extension by Mozilla
// Documentation: http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Array:lastIndexOf
-
- JSObject* thisObj = thisValue.toThisObject(exec);
+ JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
- int index = length - 1;
- double d = exec->argument(1).toIntegerPreserveNaN(exec);
-
- if (d < 0) {
- d += length;
- if (d < 0)
- return JSValue::encode(jsNumber(exec, -1));
+ if (!length)
+ return JSValue::encode(jsNumber(exec, -1));
+
+ unsigned index = length - 1;
+ JSValue fromValue = exec->argument(1);
+ if (!fromValue.isUndefined()) {
+ double fromDouble = fromValue.toInteger(exec);
+ if (fromDouble < 0) {
+ fromDouble += length;
+ if (fromDouble < 0)
+ return JSValue::encode(jsNumber(exec, -1));
+ }
+ if (fromDouble < length)
+ index = static_cast<unsigned>(fromDouble);
}
- if (d < length)
- index = static_cast<int>(d);
JSValue searchElement = exec->argument(0);
- for (; index >= 0; --index) {
+ do {
+ ASSERT(index < length);
JSValue e = getProperty(exec, thisObj, index);
if (!e)
continue;
if (JSValue::strictEqual(exec, searchElement, e))
return JSValue::encode(jsNumber(exec, index));
- }
+ } while (index--);
return JSValue::encode(jsNumber(exec, -1));
}
diff --git a/JavaScriptCore/runtime/JSValue.h b/JavaScriptCore/runtime/JSValue.h
index af4b0f4..4a6744d 100644
--- a/JavaScriptCore/runtime/JSValue.h
+++ b/JavaScriptCore/runtime/JSValue.h
@@ -410,7 +410,7 @@ namespace JSC {
inline uint32_t JSValue::toUInt32(ExecState* exec) const
{
if (isUInt32())
- return asInt32();
+ return asUInt32();
double val = toNumber(exec);
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b165cbd..d60193a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,33 @@
+2010-08-28 Gavin Barraclough <barraclough at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ Bug 44830 - In Array's prototype functyions we're incorrectly handing large index values
+
+ We are in places casting doubles to unsigneds, and unsigneds to ints, without always check
+ that the result is within bounds. This is problematic in the case of double-to-unsigned
+ conversion because we should be saturating to array length.
+
+ Also, the error return value from Array.splice should be [], not undefined.
+
+ I don't see any security concerns here. These methods are spec'ed in such a way that they
+ can be applied to non Array objects, so in all cases the (potentially bogus) indices are
+ being passed to functions that will safely check accesses are within bounds.
+
+ * fast/js/array-splice-expected.txt:
+ * fast/js/script-tests/array-splice.js:
+ * fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.10_Array_prototype_slice/S15.4.4.10_A3_T3-expected.txt:
+ * fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.2_T3-expected.txt:
+ * fast/js/sputnik/Implementation_Diagnostics/S15.4.4.12_D1.5_T1-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-3-26-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-3-27-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-5-1-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-5-12-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-5-14-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-5-16-expected.txt:
+ * ietestcenter/Javascript/15.4.4.15-8-9-expected.txt:
+ * platform/mac-snowleopard/Skipped:
+
2010-08-28 Mihai Parparita <mihaip at chromium.org>
Reviewed by Tony Chang.
diff --git a/LayoutTests/fast/js/array-splice-expected.txt b/LayoutTests/fast/js/array-splice-expected.txt
index 7facbe8..2ca11ac 100644
--- a/LayoutTests/fast/js/array-splice-expected.txt
+++ b/LayoutTests/fast/js/array-splice-expected.txt
@@ -8,7 +8,7 @@ PASS arr.splice(2) is ['c','d']
PASS arr is ['a','b']
PASS arr.splice(0) is ['a','b']
PASS arr is []
-PASS arr.splice() is undefined
+PASS arr.splice() is []
PASS arr is ['a','b','c','d']
PASS arr.splice(undefined) is ['a','b','c','d']
PASS arr is []
diff --git a/LayoutTests/fast/js/script-tests/array-splice.js b/LayoutTests/fast/js/script-tests/array-splice.js
index cfeb0a4..90fd9ca 100644
--- a/LayoutTests/fast/js/script-tests/array-splice.js
+++ b/LayoutTests/fast/js/script-tests/array-splice.js
@@ -10,7 +10,7 @@ shouldBe("arr.splice(0)", "['a','b']");
shouldBe("arr", "[]")
arr = ['a','b','c','d'];
-shouldBe("arr.splice()", "undefined")
+shouldBe("arr.splice()", "[]")
shouldBe("arr", "['a','b','c','d']");
shouldBe("arr.splice(undefined)", "['a','b','c','d']")
shouldBe("arr", "[]");
diff --git a/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.10_Array_prototype_slice/S15.4.4.10_A3_T3-expected.txt b/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.10_Array_prototype_slice/S15.4.4.10_A3_T3-expected.txt
index a158746..e537bec 100644
--- a/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.10_Array_prototype_slice/S15.4.4.10_A3_T3-expected.txt
+++ b/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.10_Array_prototype_slice/S15.4.4.10_A3_T3-expected.txt
@@ -1,6 +1,6 @@
S15.4.4.10_A3_T3
-FAIL SputnikError: #1: var obj = {}; obj.slice = Array.prototype.slice; obj[4294967294] = "x"; obj.length = 4294967295; var arr = obj.slice(4294967294,4294967295); arr.length === 1. Actual: 0
+PASS
TEST COMPLETE
diff --git a/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.2_T3-expected.txt b/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.2_T3-expected.txt
index 4002def..6c55952 100644
--- a/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.2_T3-expected.txt
+++ b/LayoutTests/fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.2_T3-expected.txt
@@ -1,6 +1,6 @@
S15.4.4.12_A2.2_T3
-FAIL SputnikError: #2: var x = [0,1,2,3]; var arr = x.splice(0,Number.POSITIVE_INFINITY); arr.length === 4. Actual: 0
+PASS
TEST COMPLETE
diff --git a/LayoutTests/fast/js/sputnik/Implementation_Diagnostics/S15.4.4.12_D1.5_T1-expected.txt b/LayoutTests/fast/js/sputnik/Implementation_Diagnostics/S15.4.4.12_D1.5_T1-expected.txt
index 3a94c7e..4e6d803 100644
--- a/LayoutTests/fast/js/sputnik/Implementation_Diagnostics/S15.4.4.12_D1.5_T1-expected.txt
+++ b/LayoutTests/fast/js/sputnik/Implementation_Diagnostics/S15.4.4.12_D1.5_T1-expected.txt
@@ -1,6 +1,6 @@
S15.4.4.12_D1.5_T1
-FAIL TypeError: Result of expression 'arr' [undefined] is not an object.
+PASS
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-26-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-26-expected.txt
index 54763de..c1e6610 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-26-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-26-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-27-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-27-expected.txt
index 0545d33..abc0d5f 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-27-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-3-27-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-1-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-1-expected.txt
index 60e48de..07bbf5b 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-1-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-1-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true (of type boolean). Was undefined (of type undefined).
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-12-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-12-expected.txt
index e2c1069..e416297 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-12-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-12-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-14-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-14-expected.txt
index 138379f..d734269 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-14-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-14-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-16-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-16-expected.txt
index e9496ba..ab8294a 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-16-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-16-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/ietestcenter/Javascript/15.4.4.15-8-9-expected.txt b/LayoutTests/ietestcenter/Javascript/15.4.4.15-8-9-expected.txt
index 519da39..e0874ac 100644
--- a/LayoutTests/ietestcenter/Javascript/15.4.4.15-8-9-expected.txt
+++ b/LayoutTests/ietestcenter/Javascript/15.4.4.15-8-9-expected.txt
@@ -4,7 +4,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/platform/mac-snowleopard/Skipped b/LayoutTests/platform/mac-snowleopard/Skipped
index 48cedb4..61de729 100644
--- a/LayoutTests/platform/mac-snowleopard/Skipped
+++ b/LayoutTests/platform/mac-snowleopard/Skipped
@@ -130,11 +130,6 @@ fast/canvas/webgl/tex-image-and-sub-image-2d-with-video.html
# This test asserts: https://bugs.webkit.org/show_bug.cgi?id=37932
transitions/transition-end-event-destroy-iframe.html
-# These tests fail in 64 bit
-# https://bugs.webkit.org/show_bug.cgi?id=38356
-fast/js/sputnik/Conformance/11_Expressions/11.5_Multiplicative_Operators/11.5.3_Percent/S11.5.3_A4_T2.html
-fast/js/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.12_Array_prototype_splice/S15.4.4.12_A2.1_T3.html
-
# Test fails on Snow Leopard in DRT but passes when run manually and passes on Leopard. The test itself might need
# tweaking to deal with scrolling differences between Leopard and SL. https://bugs.webkit.org/show_bug.cgi?id=38416
fast/repaint/fixed-move-after-keyboard-scroll.html
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list