[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

oliver at apple.com oliver at apple.com
Sun Feb 20 23:11:27 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 536fb9cb1287cb2d85f217c40dafd393e09dc006
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jan 18 21:09:29 2011 +0000

    2011-01-18  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Antti Koivisto.
    
            [jsfunfuzz] Assertion in codegen for array of NaN constants
            https://bugs.webkit.org/show_bug.cgi?id=52643
    
            Add a testcase to ensure we handle a large number of NaN literals
            in (0/0 is folded to NaN automatically during parsing).
    
            * fast/js/codegen-temporaries-expected.txt:
            * fast/js/script-tests/codegen-temporaries.js:
    2011-01-18  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Antti Koivisto.
    
            [jsfunfuzz] Assertion in codegen for array of NaN constants
            https://bugs.webkit.org/show_bug.cgi?id=52643
    
            Don't cache NaN literals in the code generator, as NaN doesn't compare
            as equal to itself it causes problems when rehashing the number cache.
    
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitLoad):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76049 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 84eb96f..c8fa95b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-18  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Antti Koivisto.
+
+        [jsfunfuzz] Assertion in codegen for array of NaN constants
+        https://bugs.webkit.org/show_bug.cgi?id=52643
+
+        Add a testcase to ensure we handle a large number of NaN literals
+        in (0/0 is folded to NaN automatically during parsing).
+
+        * fast/js/codegen-temporaries-expected.txt:
+        * fast/js/script-tests/codegen-temporaries.js:
+
 2011-01-18  Krithigassree Sambamurthy  <krithigassree.sambamurthy at nokia.com>
 
         Reviewed by Simon Fraser.
diff --git a/LayoutTests/fast/js/codegen-temporaries-expected.txt b/LayoutTests/fast/js/codegen-temporaries-expected.txt
index 839fe70..e0e102f 100644
--- a/LayoutTests/fast/js/codegen-temporaries-expected.txt
+++ b/LayoutTests/fast/js/codegen-temporaries-expected.txt
@@ -109,6 +109,7 @@ PASS switch_test1() is true
 PASS switch_test2() is true
 PASS switch_test3() is true
 PASS construct_test() is true
+PASS [(0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), ].length is 64
 PASS successfullyParsed is true
 
 TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/codegen-temporaries.js b/LayoutTests/fast/js/script-tests/codegen-temporaries.js
index d2a8065..2043c50 100644
--- a/LayoutTests/fast/js/script-tests/codegen-temporaries.js
+++ b/LayoutTests/fast/js/script-tests/codegen-temporaries.js
@@ -925,5 +925,10 @@ function construct_test()
 }
 
 shouldBeTrue("construct_test()");
+var testStr = "[";
+for (var i = 0; i < 64; i++)
+    testStr += "(0/0), ";
+testStr += "].length";
+shouldBe(testStr, "64");
 
 var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 9d92e9d..30d9333 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-01-18  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Antti Koivisto.
+
+        [jsfunfuzz] Assertion in codegen for array of NaN constants
+        https://bugs.webkit.org/show_bug.cgi?id=52643
+
+        Don't cache NaN literals in the code generator, as NaN doesn't compare
+        as equal to itself it causes problems when rehashing the number cache.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitLoad):
+
 2011-01-17  Jarred Nicholls  <jarred at sencha.com>
 
         Reviewed by Csaba Osztrogonác.
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index 34afb52..78c373a 100644
--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -1082,8 +1082,9 @@ RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, bool b)
 RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, double number)
 {
     // FIXME: Our hash tables won't hold infinity, so we make a new JSNumberCell each time.
-    // Later we can do the extra work to handle that like the other cases.
-    if (number == HashTraits<double>::emptyValue() || HashTraits<double>::isDeletedValue(number))
+    // Later we can do the extra work to handle that like the other cases.  They also don't
+    // work correctly with NaN as a key.
+    if (isnan(number) || number == HashTraits<double>::emptyValue() || HashTraits<double>::isDeletedValue(number))
         return emitLoad(dst, jsNumber(number));
     JSValue& valueInMap = m_numberMap.add(number, JSValue()).first->second;
     if (!valueInMap)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list