WebKit Bugzilla
Attachment 346824 Details for
Bug 188430
: Array.prototype.sort should call @toLength instead of ">>> 0"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188430-20180808223518.patch (text/plain), 9.94 KB, created by
Keith Miller
on 2018-08-08 22:35:19 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-08-08 22:35:19 PDT
Size:
9.94 KB
patch
obsolete
>Subversion Revision: 234716 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 47b02f0dd262a61a33e8fee9fe3bdd2f63c59368..c0029ad2201bbec378f9f6e25904f22e428e299e 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-08-08 Keith Miller <keith_miller@apple.com> >+ >+ Array.prototype.sort should call @toLength instead of ">>> 0" >+ https://bugs.webkit.org/show_bug.cgi?id=188430 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Also add a new function to $vm that will fetch a private >+ property. This can be useful for running builtin helper functions. >+ >+ * builtins/ArrayPrototype.js: >+ (sort): >+ * tools/JSDollarVM.cpp: >+ (JSC::functionGetPrivateProperty): >+ (JSC::JSDollarVM::finishCreation): >+ > 2018-08-08 Keith Miller <keith_miller@apple.com> > > Array.prototype.sort should throw TypeError if param is a not callable object >diff --git a/Source/JavaScriptCore/builtins/ArrayPrototype.js b/Source/JavaScriptCore/builtins/ArrayPrototype.js >index a8796540b43b98c8035a4cc67239e4885bd12618..bb67a722bd2d4ba0084b86b0f718ff90fce7b949 100644 >--- a/Source/JavaScriptCore/builtins/ArrayPrototype.js >+++ b/Source/JavaScriptCore/builtins/ArrayPrototype.js >@@ -603,7 +603,7 @@ function sort(comparator) > > let array = @toObject(this, "Array.prototype.sort requires that |this| not be null or undefined"); > >- let length = array.length >>> 0; >+ let length = @toLength(array.length); > > // For compatibility with Firefox and Chrome, do nothing observable > // to the target array if it has 0 or 1 sortable properties. >diff --git a/Source/JavaScriptCore/tools/JSDollarVM.cpp b/Source/JavaScriptCore/tools/JSDollarVM.cpp >index fd947e7db5c6813cbb472d13b015e039c726ab12..dde310911c0dc43c1b67c35292d108677fbd2295 100644 >--- a/Source/JavaScriptCore/tools/JSDollarVM.cpp >+++ b/Source/JavaScriptCore/tools/JSDollarVM.cpp >@@ -1676,6 +1676,24 @@ static EncodedJSValue JSC_HOST_CALL functionCreateBuiltin(ExecState* exec) > return JSValue::encode(func); > } > >+static EncodedJSValue JSC_HOST_CALL functionGetPrivateProperty(ExecState* exec) >+{ >+ VM& vm = exec->vm(); >+ auto scope = DECLARE_THROW_SCOPE(vm); >+ >+ if (exec->argumentCount() < 2 || !exec->argument(1).isString()) >+ return encodedJSUndefined(); >+ >+ String str = asString(exec->argument(1))->value(exec); >+ >+ const Identifier* ident = vm.propertyNames->lookUpPrivateName(Identifier::fromString(exec, str)); >+ if (!ident) >+ return throwVMError(exec, scope, "Unknown private name."); >+ >+ scope.release(); >+ return JSValue::encode(exec->argument(0).get(exec, *ident)); >+} >+ > static EncodedJSValue JSC_HOST_CALL functionCreateRoot(ExecState* exec) > { > VM& vm = exec->vm(); >@@ -2020,6 +2038,7 @@ void JSDollarVM::finishCreation(VM& vm) > addFunction(vm, "createDOMJITCheckSubClassObject", functionCreateDOMJITCheckSubClassObject, 0); > addFunction(vm, "createDOMJITGetterBaseJSObject", functionCreateDOMJITGetterBaseJSObject, 0); > addFunction(vm, "createBuiltin", functionCreateBuiltin, 2); >+ addFunction(vm, "getPrivateProperty", functionGetPrivateProperty, 2); > addFunction(vm, "setImpureGetterDelegate", functionSetImpureGetterDelegate, 2); > > addConstructibleFunction(vm, "Root", functionCreateRoot, 0); >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 19704804ea20f71c02455a50c699b2e8f4b8c672..4fcb32b0cf33eaec4a2decf8f868c87480ccf2b2 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,17 @@ >+2018-08-08 Keith Miller <keith_miller@apple.com> >+ >+ Array.prototype.sort should call @toLength instead of ">>> 0" >+ https://bugs.webkit.org/show_bug.cgi?id=188430 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Remove invalid conformance test expectations. Array.prototype.sort calls toLength, which >+ does not truncate integers. >+ >+ * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T1.html: >+ * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T2.html: >+ * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T3.html: >+ > 2018-08-08 Basuke Suzuki <Basuke.Suzuki@sony.com> > > [Curl] Test gardening >diff --git a/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T1.html b/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T1.html >index 2e795368bf55efe2d45327eac6322f0813a34510..0db1afc4adf551f75ef9a96bfb8551f5549c6317 100644 >--- a/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T1.html >+++ b/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T1.html >@@ -94,9 +94,10 @@ if (obj[0] !== "x") { > } > > //CHECK#4 >-if (obj[4294967295] !== "y") { >- testFailed('#4: var obj = {}; obj.sort = Array.prototype.sort; obj[] = "x"; obj[4294967295] = "y"; obj.length = 4294967296; obj.sort(); obj[4294967295] == "y"'); >-} >+// This test isn't valid since the spec requires toLength on obj.length now. >+// if (obj[4294967295] !== "y") { >+// testFailed('#4: var obj = {}; obj.sort = Array.prototype.sort; obj[] = "x"; obj[4294967295] = "y"; obj.length = 4294967296; obj.sort(); obj[4294967295] == "y"'); >+// } > > } catch (ex) { > sputnikException = ex; >diff --git a/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T2.html b/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T2.html >index e65d5c63d4bbf9d7aadee483d1515b358a508989..14d9a16a44d352c486ebffcb4cd7b4e1ce327df5 100644 >--- a/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T2.html >+++ b/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T2.html >@@ -90,9 +90,10 @@ if (obj.length !== 4294967298) { > } > > //CHECK#3 >-if (obj[0] !== "y") { >- testFailed('#3: var obj = {}; obj.sort = Array.prototype.sort; obj[0] = "z"; obj[1] = "y"; obj[4294967297] = "x"; obj.length = 4294967298; obj.sort(); obj[0] === "y". Actual: ' + (obj[0])); >-} >+// This test isn't valid since the spec requires toLength on obj.length now. >+// if (obj[0] !== "y") { >+// testFailed('#3: var obj = {}; obj.sort = Array.prototype.sort; obj[0] = "z"; obj[1] = "y"; obj[4294967297] = "x"; obj.length = 4294967298; obj.sort(); obj[0] === "y". Actual: ' + (obj[0])); >+// } > > //CHECK#4 > if (obj[1] !== "z") { >diff --git a/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T3.html b/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T3.html >index b33c2e7311cd75244473558d0fb53fc62df739da..af074108c667f68a98bc69b10258ea00733acfef 100644 >--- a/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T3.html >+++ b/LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.11_Array_prototype_sort/S15.4.4.11_A4_T3.html >@@ -90,9 +90,10 @@ if (obj.length !== -4294967294) { > } > > //CHECK#3 >-if (obj[0] !== "y") { >- testFailed('#3: var obj = {}; obj.sort = Array.prototype.sort; obj[0] = "z"; obj[1] = "y"; obj[2] = "x"; obj.length = -4294967294; obj.sort(); obj[0] === "y". Actual: ' + (obj[0])); >-} >+// This test isn't valid since the spec requires toLength on obj.length now. >+// if (obj[0] !== "y") { >+// testFailed('#3: var obj = {}; obj.sort = Array.prototype.sort; obj[0] = "z"; obj[1] = "y"; obj[2] = "x"; obj.length = -4294967294; obj.sort(); obj[0] === "y". Actual: ' + (obj[0])); >+// } > > //CHECK#4 > if (obj[1] !== "z") { >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 9b3e59c7580922f8df21b23bfb12aab1b6d3da7a..01b39fac73e67fd3670681b3d4112f6f51f12262 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,12 @@ >+2018-08-08 Keith Miller <keith_miller@apple.com> >+ >+ Array.prototype.sort should call @toLength instead of ">>> 0" >+ https://bugs.webkit.org/show_bug.cgi?id=188430 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * test262/expectations.yaml: >+ > 2018-08-08 Keith Miller <keith_miller@apple.com> > > Array.prototype.sort should throw TypeError if param is a not callable object >diff --git a/JSTests/test262/expectations.yaml b/JSTests/test262/expectations.yaml >index 6b8a120a91feec7be405b3e678cef3d9767ed791..3fe3d5cf2f335ecf303d297254ced2253a548477 100644 >--- a/JSTests/test262/expectations.yaml >+++ b/JSTests/test262/expectations.yaml >@@ -669,9 +669,6 @@ test/built-ins/Array/prototype/slice/length-exceeding-integer-limit.js: > test/built-ins/Array/prototype/slice/target-array-with-non-writable-property.js: > default: 'TypeError: Attempted to assign to readonly property.' > strict mode: 'TypeError: Attempted to assign to readonly property.' >-test/built-ins/Array/prototype/sort/S15.4.4.11_A4_T3.js: >- default: 'Test262Error: #3: var obj = {}; obj.sort = Array.prototype.sort; obj[0] = "z"; obj[1] = "y"; obj[2] = "x"; obj.length = -4294967294; obj.sort(); obj[0] === "z". Actual: y' >- strict mode: 'Test262Error: #3: var obj = {}; obj.sort = Array.prototype.sort; obj[0] = "z"; obj[1] = "y"; obj[2] = "x"; obj.length = -4294967294; obj.sort(); obj[0] === "z". Actual: y' > test/built-ins/Array/prototype/splice/S15.4.4.12_A3_T1.js: > default: 'Test262Error: #1: var obj = {}; obj.splice = Array.prototype.splice; obj[0] = "x"; obj[4294967295] = "y"; obj.length = 4294967296; var arr = obj.splice(4294967295,1); arr.length === 1. Actual: 0' > strict mode: 'Test262Error: #1: var obj = {}; obj.splice = Array.prototype.splice; obj[0] = "x"; obj[4294967295] = "y"; obj.length = 4294967296; var arr = obj.splice(4294967295,1); arr.length === 1. Actual: 0'
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=346824">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188430
:
346816
|
346819
|
346821
|
346822
|
346823
|
346824
|
346825
|
346827
|
346828
|
346829
|
346842