summaryrefslogtreecommitdiffstats
path: root/src/3rdparty/webkit/JavaScriptCore
diff options
context:
space:
mode:
authorSimon Hausmann <simon.hausmann@nokia.com>2009-04-24 10:37:49 (GMT)
committerSimon Hausmann <simon.hausmann@nokia.com>2009-04-24 10:37:49 (GMT)
commite09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b (patch)
tree42b7b82c0ed522debabbde93b5b9f28658176762 /src/3rdparty/webkit/JavaScriptCore
parent10fa7986020c75da0ce68ec051a1086bd6bf5bf4 (diff)
downloadQt-e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b.zip
Qt-e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b.tar.gz
Qt-e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b.tar.bz2
Updated WebKit from /home/shausman/src/webkit/trunk to origin/qtwebkit-4.5 ( d5ea85e03f22fb6fb87275774a2c53031941017e )
Changes in WebKit since the last update: ++ b/JavaScriptCore/ChangeLog 2009-01-22 Oliver Hunt <oliver@apple.com> Reviewed by Geoff Garen. <rdar://problem/6516853> (r39682-r39736) JSFunFuzz: crash on "(function(){({ x2: x }), })()" <https://bugs.webkit.org/show_bug.cgi?id=23479> Automatic semicolon insertion was resulting in this being accepted in the initial nodeless parsing, but subsequent reparsing for code generation would fail, leading to a crash. The solution is to ensure that reparsing a function performs parsing in the same state as the initial parse. We do this by modifying the saved source ranges to include rather than exclude the opening and closing braces. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::reparseForExceptionInfoIfNecessary): add an assertion for successful recompile * parser/Lexer.h: (JSC::Lexer::sourceCode): include rather than exclude braces. * parser/Nodes.h: (JSC::FunctionBodyNode::toSourceString): No need to append braces anymore. 2009-01-21 Alexey Proskuryakov <ap@webkit.org> Suggested by Oliver Hunt. Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=23456 Function argument names leak * parser/Nodes.cpp: (JSC::FunctionBodyNode::~FunctionBodyNode): Destruct parameter names. 2009-01-22 Beth Dakin <bdakin@apple.com> Reviewed by Sam Weinig. Fix for https://bugs.webkit.org/show_bug.cgi?id=23461 LayoutTests/ fast/js/numeric-conversion.html is broken, and corresponding <rdar://problem/6514842> The basic problem here is that parseInt(Infinity) should be NaN, but we were returning 0. NaN matches Safari 3.2.1 and Firefox. * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseInt): 2009-01-13 Beth Dakin <bdakin@apple.com> Reviewed by Darin Adler and Oliver Hunt. <rdar://problem/6489314> REGRESSION: Business widget's front side fails to render correctly when flipping widget The problem here is that parseInt was parsing NaN as 0. This patch corrects that by parsing NaN as NaN. This matches our old behavior and Firefox. * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncParseInt): ++ b/LayoutTests/ChangeLog 2009-01-22 Oliver Hunt <oliver@apple.com> Reviewed by Geoff Garen. <rdar://problem/6516853> (r39682-r39736) JSFunFuzz: crash on "(function(){({ x2: x }), })()" <https://bugs.webkit.org/show_bug.cgi?id=23479> Add additional reparsing tests. * fast/js/reparsing-semicolon-insertion-expected.txt: * fast/js/resources/reparsing-semicolon-insertion.js: (commaParenTest): (commaParenThrowTest): 2009-01-22 Beth Dakin <bdakin@apple.com> Reviewed by Sam Weinig. Fix for https://bugs.webkit.org/show_bug.cgi?id=23461 LayoutTests/ fast/js/numeric-conversion.html is broken, and corresponding <rdar://problem/6514842> The basic problem here is that parseInt(Infinity) should be NaN, but we were returning 0. NaN matches Safari 3.2.1 and Firefox. * fast/js/numeric-conversion-expected.txt: * fast/js/resources/numeric-conversion.js: 2009-01-13 Beth Dakin <bdakin@apple.com> Reviewed by Darin Adler and Oliver Hunt. Updated test and results for <rdar://problem/6489314> REGRESSION: Business widget's front side fails to render correctly when flipping widget parseInt(NaN) should be NaN. * fast/js/numeric-conversion-expected.txt: * fast/js/resources/numeric-conversion.js: ++ b/WebCore/ChangeLog 2009-03-13 Adam Bergkvist <adam.bergkvist@ericsson.com> Reviewed by Alexey Proskuryakov. https://bugs.webkit.org/show_bug.cgi?id=24349 [QT] HTTP status text is never set Set HTTP status text to the reason phrase attribute of QNetworkReply. * platform/network/qt/QNetworkReplyHandler.cpp: (WebCore::QNetworkReplyHandler::sendResponseIfNeeded): 2009-03-02 Dirk Schulze <krit@webkit.org> Reviewed by Holger Freyther. Added putImageData to Qt. Discussed with Ariya Hidayat. [Qt] lacks putImageData support in Canvas https://bugs.webkit.org/show_bug.cgi?id=22186 * platform/graphics/qt/ImageBufferQt.cpp: (WebCore::ImageBuffer::putImageData): 2009-03-01 Larry Ewing <lewing@novell.com> Reviewed by Alexey Proskuryakov. https://bugs.webkit.org/show_bug.cgi?id=24080 NPN_GetValue casting to the wrong type and writing outside bounds Make sure to cast the value to the correct type so that only memory owned by the value is written to. * plugins/gtk/PluginViewGtk.cpp (PluginView::getValueStatic): * plugins/qt/PluginViewQt.cpp (PluginView::getValueStatic): * plugins/mac/PluginViewMac.cpp (PluginView::getValueStatic): (PluginView::getValue): 2009-02-27 Adam Treat <adam.treat@torchmobile.com> Reviewed by Eric Seidel. https://bugs.webkit.org/show_bug.cgi?id=24229 If an image has no alpha channel there is no reason to use SourceOver. * platform/graphics/qt/ImageQt.cpp: (WebCore::Image::drawPattern): (WebCore::BitmapImage::draw): 2009-02-27 Zack Rusin <zack@kde.org> Reviewed by Nikolas Zimmermann. Qt: be more reasonable about scrolled lines cMouseWheelPixelsPerLineStep is currently a constant set to 13.3. it doesn't match our metrics meaning that Qt scrolls by ~2 lines by default which is quite irritating. so lets scroll vertically by the Qt set number of lines * Qt default single step scroll * platform/qt/WheelEventQt.cpp: 2009-02-25 Dirk Schulze <krit@webkit.org> Reviewed by Oliver Hunt. Ported arcTo to Qt. Qt has no native support for arcTo. This changes calculate the behavior of arcTo and draws it with lineTo and arc. [QT] implement Canvas arcTo https://bugs.webkit.org/show_bug.cgi?id=23873 * platform/graphics/qt/PathQt.cpp: (WebCore::Path::addArcTo): 2009-03-12 Adam Treat <adam.treat@torchmobile.com> Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=24498 Fix the Qt port to use the same algorithm for drawing dashed and dotted borders as the other ports. This makes the Qt port pixel-for-pixel perfect compared to border drawing with Apple's canonical mac port and much closer to konqueror and firefox behavior. * platform/graphics/qt/GraphicsContextQt.cpp: (WebCore::GraphicsContext::drawLine): 2009-03-09 Adam Treat <adam.treat@torchmobile.com> Reviewed by George Staikos. https://bugs.webkit.org/show_bug.cgi?id=24463 WebCore::qstring is detaching and copying twice for every single WebCore::TextRun that is processed and drawn. This elevates this method to one of the top-ten most expensive methods in all of QtWebKit according to profiling. This changes the method so that QString only detaches when absolutely necessary. * platform/graphics/qt/FontQt.cpp: (WebCore::qstring): (WebCore::fixSpacing): (WebCore::Font::drawComplexText): (WebCore::Font::floatWidthForComplexText): (WebCore::Font::offsetForPositionForComplexText): (WebCore::Font::selectionRectForComplexText): ++ b/WebKit/qt/ChangeLog 2009-03-02 Benjamin C Meyer <benjamin.meyer@torchmobile.com> Reviewed by George Staikos. https://bugs.webkit.org/show_bug.cgi?id=21230 On X11 match the behavior of Firefox and also copy the url to the clipboard selection when the action Copy Link Location is executed. * Api/qwebpage.cpp: (QWebPage::triggerAction):
Diffstat (limited to 'src/3rdparty/webkit/JavaScriptCore')
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/ChangeLog57
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp1
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h2
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp2
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h2
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp8
6 files changed, 67 insertions, 5 deletions
diff --git a/src/3rdparty/webkit/JavaScriptCore/ChangeLog b/src/3rdparty/webkit/JavaScriptCore/ChangeLog
index fe85bb9..3321570 100644
--- a/src/3rdparty/webkit/JavaScriptCore/ChangeLog
+++ b/src/3rdparty/webkit/JavaScriptCore/ChangeLog
@@ -1,3 +1,60 @@
+2009-01-22 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Geoff Garen.
+
+ <rdar://problem/6516853> (r39682-r39736) JSFunFuzz: crash on "(function(){({ x2: x }), })()"
+ <https://bugs.webkit.org/show_bug.cgi?id=23479>
+
+ Automatic semicolon insertion was resulting in this being accepted in the initial
+ nodeless parsing, but subsequent reparsing for code generation would fail, leading
+ to a crash. The solution is to ensure that reparsing a function performs parsing
+ in the same state as the initial parse. We do this by modifying the saved source
+ ranges to include rather than exclude the opening and closing braces.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::reparseForExceptionInfoIfNecessary): add an assertion for successful recompile
+ * parser/Lexer.h:
+ (JSC::Lexer::sourceCode): include rather than exclude braces.
+ * parser/Nodes.h:
+ (JSC::FunctionBodyNode::toSourceString): No need to append braces anymore.
+
+2009-01-21 Alexey Proskuryakov <ap@webkit.org>
+
+ Suggested by Oliver Hunt. Reviewed by Oliver Hunt.
+
+ https://bugs.webkit.org/show_bug.cgi?id=23456
+ Function argument names leak
+
+ * parser/Nodes.cpp: (JSC::FunctionBodyNode::~FunctionBodyNode): Destruct parameter names.
+
+2009-01-22 Beth Dakin <bdakin@apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Fix for https://bugs.webkit.org/show_bug.cgi?id=23461 LayoutTests/
+ fast/js/numeric-conversion.html is broken, and corresponding
+ <rdar://problem/6514842>
+
+ The basic problem here is that parseInt(Infinity) should be NaN,
+ but we were returning 0. NaN matches Safari 3.2.1 and Firefox.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncParseInt):
+
+2009-01-13 Beth Dakin <bdakin@apple.com>
+
+ Reviewed by Darin Adler and Oliver Hunt.
+
+ <rdar://problem/6489314> REGRESSION: Business widget's front side
+ fails to render correctly when flipping widget
+
+ The problem here is that parseInt was parsing NaN as 0. This patch
+ corrects that by parsing NaN as NaN. This matches our old behavior
+ and Firefox.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncParseInt):
+
2009-02-13 Adam Treat <adam.treat@torchmobile.com>
Reviewed by George Staikos.
diff --git a/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp b/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp
index 91fb1c0..9207c8a 100644
--- a/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp
+++ b/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -1397,6 +1397,7 @@ void CodeBlock::reparseForExceptionInfoIfNecessary(CallFrame* callFrame)
case FunctionCode: {
FunctionBodyNode* ownerFunctionBodyNode = static_cast<FunctionBodyNode*>(m_ownerNode);
RefPtr<FunctionBodyNode> newFunctionBody = m_globalData->parser->reparse<FunctionBodyNode>(m_globalData, ownerFunctionBodyNode);
+ ASSERT(newFunctionBody);
newFunctionBody->finishParsing(ownerFunctionBodyNode->copyParameters(), ownerFunctionBodyNode->parameterCount());
CodeBlock& newCodeBlock = newFunctionBody->bytecodeForExceptionInfoReparse(scopeChain);
ASSERT(newCodeBlock.m_exceptionInfo);
diff --git a/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h b/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h
index cb553af..afcf09f 100644
--- a/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h
+++ b/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h
@@ -88,7 +88,7 @@ namespace JSC {
bool sawError() const { return m_error; }
void clear();
- SourceCode sourceCode(int openBrace, int closeBrace, int firstLine) { return SourceCode(m_source->provider(), openBrace + 1, closeBrace, firstLine); }
+ SourceCode sourceCode(int openBrace, int closeBrace, int firstLine) { return SourceCode(m_source->provider(), openBrace, closeBrace + 1, firstLine); }
private:
friend class JSGlobalData;
diff --git a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp
index bdc5d2f..201af28 100644
--- a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp
+++ b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp
@@ -2552,6 +2552,8 @@ FunctionBodyNode::FunctionBodyNode(JSGlobalData* globalData, SourceElements* chi
FunctionBodyNode::~FunctionBodyNode()
{
ASSERT(!m_refCount);
+ for (size_t i = 0; i < m_parameterCount; ++i)
+ m_parameters[i].~Identifier();
fastFree(m_parameters);
}
diff --git a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h
index f8512f7..20885c3 100644
--- a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h
+++ b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h
@@ -2205,7 +2205,7 @@ namespace JSC {
void finishParsing(const SourceCode&, ParameterNode*);
void finishParsing(Identifier* parameters, size_t parameterCount);
- UString toSourceString() const JSC_FAST_CALL { return UString("{") + source().toString() + UString("}"); }
+ UString toSourceString() const JSC_FAST_CALL { return source().toString(); }
// These objects are ref/deref'd a lot in the scope chain, so this is a faster ref/deref.
// If the virtual machine changes so this doesn't happen as much we can change back.
diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp b/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
index f12d2f3..ecdddcf 100644
--- a/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
+++ b/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
@@ -302,9 +302,11 @@ JSValuePtr globalFuncParseInt(ExecState* exec, JSObject*, JSValuePtr, const ArgL
if (JSImmediate::isImmediate(value))
return value;
double d = value->uncheckedGetNumber();
- if (!isfinite(d))
- return JSImmediate::zeroImmediate();
- return jsNumber(exec, floor(d));
+ if (isfinite(d))
+ return jsNumber(exec, floor(d));
+ if (isnan(d) || isinf(d))
+ return jsNaN(&exec->globalData());
+ return JSImmediate::zeroImmediate();
}
return jsNumber(exec, parseInt(value->toString(exec), radix));