WebKit Bugzilla
Attachment 348007 Details for
Bug 188794
: [JSC] Array.prototype.reverse modifies JSImmutableButterfly
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188794-20180824232521.patch (text/plain), 3.96 KB, created by
Yusuke Suzuki
on 2018-08-24 07:25:22 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2018-08-24 07:25:22 PDT
Size:
3.96 KB
patch
obsolete
>Subversion Revision: 235316 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 4a26d37378c79ec7f2d29e35730dcfd6348b6052..fd14a10dadb5732f87ad7e1653bfbd612ab4d912 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,20 @@ >+2018-08-24 Yusuke Suzuki <yusukesuzuki@slowstart.org> >+ >+ [JSC] Array.prototype.reverse modifies JSImmutableButterfly >+ https://bugs.webkit.org/show_bug.cgi?id=188794 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ While Array.prototype.reverse modifies the butterfly of the given Array, >+ it does not account JSImmutableButterfly case. So it accidentally modifies >+ the content of JSImmutableButterfly. >+ This patch converts CoW arrays to writable arrays before reversing. >+ >+ * runtime/ArrayPrototype.cpp: >+ (JSC::arrayProtoFuncReverse): >+ * runtime/JSObject.h: >+ (JSC::JSObject::ensureWritable): >+ > 2018-08-23 Simon Fraser <simon.fraser@apple.com> > > Add support for dumping GC heap snapshots, and a viewer >diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp >index 764871c80d0abdd5f4e4cb49d8d76b19c494cb5b..cbf3d724db60962f7f66e2d012e2425013f27f21 100644 >--- a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp >+++ b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp >@@ -855,6 +855,8 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec) > unsigned length = toLength(exec, thisObject); > RETURN_IF_EXCEPTION(scope, encodedJSValue()); > >+ thisObject->ensureWritable(vm); >+ > switch (thisObject->indexingType()) { > case ALL_CONTIGUOUS_INDEXING_TYPES: > case ALL_INT32_INDEXING_TYPES: { >diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h >index 96ccc040e7849386ed9575130a3366d48d651e39..568b266838953edfb0c61d03dac2160a18746c7c 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.h >+++ b/Source/JavaScriptCore/runtime/JSObject.h >@@ -865,6 +865,12 @@ class JSObject : public JSCell { > > return ensureArrayStorageSlow(vm); > } >+ >+ void ensureWritable(VM& vm) >+ { >+ if (isCopyOnWrite(indexingMode())) >+ convertFromCopyOnWrite(vm); >+ } > > static size_t offsetOfInlineStorage(); > >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index a19ab57c19fee5594555833960f6a260f8a31754..f59fb92ef01d6adfbfd6e57a96d8c3a62d7c8b61 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,16 @@ >+2018-08-24 Yusuke Suzuki <yusukesuzuki@slowstart.org> >+ >+ [JSC] Array.prototype.reverse modifies JSImmutableButterfly >+ https://bugs.webkit.org/show_bug.cgi?id=188794 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/reverse-with-immutable-butterfly.js: Added. >+ (shouldBe): >+ (reverseInt): >+ (reverseDouble): >+ (reverseContiguous): >+ > 2018-08-22 Saam barati <sbarati@apple.com> > > Make data-view-access.js run less time to prevent timeouts on 32-bit >diff --git a/JSTests/stress/reverse-with-immutable-butterfly.js b/JSTests/stress/reverse-with-immutable-butterfly.js >new file mode 100644 >index 0000000000000000000000000000000000000000..8f5d428ceec7d25d067bbf74e347403231ea7f74 >--- /dev/null >+++ b/JSTests/stress/reverse-with-immutable-butterfly.js >@@ -0,0 +1,28 @@ >+function shouldBe(actual, expected) { >+ if (actual !== expected) >+ throw new Error('bad value: ' + actual); >+} >+ >+function reverseInt() >+{ >+ var array = [0, 1, 2, 3]; >+ return array.reverse(); >+} >+ >+function reverseDouble() >+{ >+ var array = [0.0, 1.1, 2.2, 3.3]; >+ return array.reverse(); >+} >+ >+function reverseContiguous() >+{ >+ var array = [0.0, 1.1, 2.2, 'hello']; >+ return array.reverse(); >+} >+ >+for (var i = 0; i < 1e4; ++i) { >+ shouldBe(JSON.stringify(reverseInt()), `[3,2,1,0]`); >+ shouldBe(JSON.stringify(reverseDouble()), `[3.3,2.2,1.1,0]`); >+ shouldBe(JSON.stringify(reverseContiguous()), `["hello",2.2,1.1,0]`); >+}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=348007">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
saam
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188794
: 348007