Updated JavaScriptCore from /home/khansen/dev/qtwebkit-qtscript-integration to javascriptcore-snapshot-07042010 ( 42ad198e900e439f01d2062ad93d03043c68a309 )

https://bugs.webkit.org/show_bug.cgi?id=36511 <rdar://problem/7753498> Safari freezes when using SPUTNIK JavaScript conformance check
author: Kent Hansen <kent.hansen@nokia.com> 2010-04-07 16:35:43 (GMT)
committer: Kent Hansen <kent.hansen@nokia.com> 2010-04-07 16:55:20 (GMT)
commit: 26c2c1dbad1cdeec77497ff6f1085f49d831b921 (patch)
tree: 6f552f10c2343a5724f2cc8df2bf646b25fcabe0
parent: 931360299e8838821cc91305a350fcbe5b72bdb3 (diff)
download: Qt-26c2c1dbad1cdeec77497ff6f1085f49d831b921.zip
Qt-26c2c1dbad1cdeec77497ff6f1085f49d831b921.tar.gz
Qt-26c2c1dbad1cdeec77497ff6f1085f49d831b921.tar.bz2
3 files changed, 42 insertions, 8 deletions
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
index 0112e38..3e8cb66 100644
--- a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
@@ -1,3 +1,32 @@
+2010-03-23  Mark Rowe  <mrowe@apple.com>
+
+        Build fix.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSplice): Some versions of GCC emit a warning about the implicit 64- to 32-bit truncation
+        that takes place here. An explicit cast is sufficient to silence it.
+
+2010-03-23  Alexey Proskuryakov  <ap@apple.com>
+
+        Build fix.
+
+        * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): Fixed a typo - length doesn't
+        need to be converted with toInteger().
+
+2010-03-23  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=36511
+        <rdar://problem/7753498> Safari freezes when using SPUTNIK JavaScript conformance check
+
+        Test: fast/js/sputnik-S15.4.4.12_A3_T3.html
+
+        * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): We were incorrectly computing
+        the start offset, and iterated over (almost) all integers. Note that this can be fixed
+        without using doubles, but the code would be much more complicated, and there is no important
+        reason to stick to integers here.
+
 2010-03-22  Geoffrey Garen  <ggaren@apple.com>
 
         Reviewed by Sam Weinig.
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp
index ce814b2..e160364 100644
--- a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -531,14 +531,19 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t
     // 15.4.4.12
     JSArray* resObj = constructEmptyArray(exec);
     JSValue result = resObj;
-    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
+
+    // FIXME: Firefox returns an empty array.
     if (!args.size())
         return jsUndefined();
-    int begin = args.at(0).toUInt32(exec);
-    if (begin < 0)
-        begin = std::max<int>(begin + length, 0);
-    else
-        begin = std::min<int>(begin, length);
+
+    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
+    double relativeBegin = args.at(0).toInteger(exec);
+    unsigned begin;
+    if (relativeBegin < 0) {
+        relativeBegin += length;
+        begin = (relativeBegin < 0) ? 0 : static_cast<unsigned>(relativeBegin);
+    } else
+        begin = std::min<unsigned>(static_cast<unsigned>(relativeBegin), length);
 
     unsigned deleteCount;
     if (args.size() > 1)
@@ -564,7 +569,7 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t
             for (unsigned k = length; k > length - deleteCount + additionalArgs; --k)
                 thisObj->deleteProperty(exec, k - 1);
         } else {
-            for (unsigned k = length - deleteCount; (int)k > begin; --k) {
+            for (unsigned k = length - deleteCount; k > begin; --k) {
                 if (JSValue obj = getProperty(exec, thisObj, k + deleteCount - 1))
                     thisObj->put(exec, k + additionalArgs - 1, obj);
                 else
diff --git a/src/3rdparty/javascriptcore/VERSION b/src/3rdparty/javascriptcore/VERSION
index 695f401..c9861de 100644
--- a/src/3rdparty/javascriptcore/VERSION
+++ b/src/3rdparty/javascriptcore/VERSION
@@ -8,4 +8,4 @@ The commit imported was from the
 
 and has the sha1 checksum
 
-        499bdb98708eba4bd40532c70179bf45b43ad068
+        42ad198e900e439f01d2062ad93d03043c68a309
author	Kent Hansen <kent.hansen@nokia.com>	2010-04-07 16:35:43 (GMT)
committer	Kent Hansen <kent.hansen@nokia.com>	2010-04-07 16:55:20 (GMT)
commit	26c2c1dbad1cdeec77497ff6f1085f49d831b921 (patch)
tree	6f552f10c2343a5724f2cc8df2bf646b25fcabe0
parent	931360299e8838821cc91305a350fcbe5b72bdb3 (diff)
download	Qt-26c2c1dbad1cdeec77497ff6f1085f49d831b921.zip Qt-26c2c1dbad1cdeec77497ff6f1085f49d831b921.tar.gz Qt-26c2c1dbad1cdeec77497ff6f1085f49d831b921.tar.bz2