diff options
author | Simon Hausmann <simon.hausmann@nokia.com> | 2009-04-24 10:37:49 (GMT) |
---|---|---|
committer | Simon Hausmann <simon.hausmann@nokia.com> | 2009-04-24 10:37:49 (GMT) |
commit | e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b (patch) | |
tree | 42b7b82c0ed522debabbde93b5b9f28658176762 /src/3rdparty/webkit/JavaScriptCore | |
parent | 10fa7986020c75da0ce68ec051a1086bd6bf5bf4 (diff) | |
download | Qt-e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b.zip Qt-e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b.tar.gz Qt-e09144d9ae2fbebaa5c6a2eeb7975a3a75ddbf0b.tar.bz2 |
Updated WebKit from /home/shausman/src/webkit/trunk to origin/qtwebkit-4.5 ( d5ea85e03f22fb6fb87275774a2c53031941017e )
Changes in WebKit since the last update:
++ b/JavaScriptCore/ChangeLog
2009-01-22 Oliver Hunt <oliver@apple.com>
Reviewed by Geoff Garen.
<rdar://problem/6516853> (r39682-r39736) JSFunFuzz: crash on "(function(){({ x2: x }), })()"
<https://bugs.webkit.org/show_bug.cgi?id=23479>
Automatic semicolon insertion was resulting in this being accepted in the initial
nodeless parsing, but subsequent reparsing for code generation would fail, leading
to a crash. The solution is to ensure that reparsing a function performs parsing
in the same state as the initial parse. We do this by modifying the saved source
ranges to include rather than exclude the opening and closing braces.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::reparseForExceptionInfoIfNecessary): add an assertion for successful recompile
* parser/Lexer.h:
(JSC::Lexer::sourceCode): include rather than exclude braces.
* parser/Nodes.h:
(JSC::FunctionBodyNode::toSourceString): No need to append braces anymore.
2009-01-21 Alexey Proskuryakov <ap@webkit.org>
Suggested by Oliver Hunt. Reviewed by Oliver Hunt.
https://bugs.webkit.org/show_bug.cgi?id=23456
Function argument names leak
* parser/Nodes.cpp: (JSC::FunctionBodyNode::~FunctionBodyNode): Destruct parameter names.
2009-01-22 Beth Dakin <bdakin@apple.com>
Reviewed by Sam Weinig.
Fix for https://bugs.webkit.org/show_bug.cgi?id=23461 LayoutTests/
fast/js/numeric-conversion.html is broken, and corresponding
<rdar://problem/6514842>
The basic problem here is that parseInt(Infinity) should be NaN,
but we were returning 0. NaN matches Safari 3.2.1 and Firefox.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncParseInt):
2009-01-13 Beth Dakin <bdakin@apple.com>
Reviewed by Darin Adler and Oliver Hunt.
<rdar://problem/6489314> REGRESSION: Business widget's front side
fails to render correctly when flipping widget
The problem here is that parseInt was parsing NaN as 0. This patch
corrects that by parsing NaN as NaN. This matches our old behavior
and Firefox.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncParseInt):
++ b/LayoutTests/ChangeLog
2009-01-22 Oliver Hunt <oliver@apple.com>
Reviewed by Geoff Garen.
<rdar://problem/6516853> (r39682-r39736) JSFunFuzz: crash on "(function(){({ x2: x }), })()"
<https://bugs.webkit.org/show_bug.cgi?id=23479>
Add additional reparsing tests.
* fast/js/reparsing-semicolon-insertion-expected.txt:
* fast/js/resources/reparsing-semicolon-insertion.js:
(commaParenTest):
(commaParenThrowTest):
2009-01-22 Beth Dakin <bdakin@apple.com>
Reviewed by Sam Weinig.
Fix for https://bugs.webkit.org/show_bug.cgi?id=23461 LayoutTests/
fast/js/numeric-conversion.html is broken, and corresponding
<rdar://problem/6514842>
The basic problem here is that parseInt(Infinity) should be NaN,
but we were returning 0. NaN matches Safari 3.2.1 and Firefox.
* fast/js/numeric-conversion-expected.txt:
* fast/js/resources/numeric-conversion.js:
2009-01-13 Beth Dakin <bdakin@apple.com>
Reviewed by Darin Adler and Oliver Hunt.
Updated test and results for <rdar://problem/6489314> REGRESSION:
Business widget's front side fails to render correctly when
flipping widget
parseInt(NaN) should be NaN.
* fast/js/numeric-conversion-expected.txt:
* fast/js/resources/numeric-conversion.js:
++ b/WebCore/ChangeLog
2009-03-13 Adam Bergkvist <adam.bergkvist@ericsson.com>
Reviewed by Alexey Proskuryakov.
https://bugs.webkit.org/show_bug.cgi?id=24349
[QT] HTTP status text is never set
Set HTTP status text to the reason phrase attribute of QNetworkReply.
* platform/network/qt/QNetworkReplyHandler.cpp:
(WebCore::QNetworkReplyHandler::sendResponseIfNeeded):
2009-03-02 Dirk Schulze <krit@webkit.org>
Reviewed by Holger Freyther.
Added putImageData to Qt. Discussed with Ariya Hidayat.
[Qt] lacks putImageData support in Canvas
https://bugs.webkit.org/show_bug.cgi?id=22186
* platform/graphics/qt/ImageBufferQt.cpp:
(WebCore::ImageBuffer::putImageData):
2009-03-01 Larry Ewing <lewing@novell.com>
Reviewed by Alexey Proskuryakov.
https://bugs.webkit.org/show_bug.cgi?id=24080
NPN_GetValue casting to the wrong type and writing outside bounds
Make sure to cast the value to the correct type so that only
memory owned by the value is written to.
* plugins/gtk/PluginViewGtk.cpp (PluginView::getValueStatic):
* plugins/qt/PluginViewQt.cpp (PluginView::getValueStatic):
* plugins/mac/PluginViewMac.cpp (PluginView::getValueStatic):
(PluginView::getValue):
2009-02-27 Adam Treat <adam.treat@torchmobile.com>
Reviewed by Eric Seidel.
https://bugs.webkit.org/show_bug.cgi?id=24229
If an image has no alpha channel there is no reason to use SourceOver.
* platform/graphics/qt/ImageQt.cpp:
(WebCore::Image::drawPattern):
(WebCore::BitmapImage::draw):
2009-02-27 Zack Rusin <zack@kde.org>
Reviewed by Nikolas Zimmermann.
Qt: be more reasonable about scrolled lines
cMouseWheelPixelsPerLineStep is currently a constant set to 13.3. it doesn't
match our metrics meaning that Qt scrolls by ~2 lines by default which is quite
irritating. so lets scroll vertically by the Qt set number of lines * Qt default
single step scroll
* platform/qt/WheelEventQt.cpp:
2009-02-25 Dirk Schulze <krit@webkit.org>
Reviewed by Oliver Hunt.
Ported arcTo to Qt. Qt has no native support for arcTo. This changes
calculate the behavior of arcTo and draws it with lineTo and arc.
[QT] implement Canvas arcTo
https://bugs.webkit.org/show_bug.cgi?id=23873
* platform/graphics/qt/PathQt.cpp:
(WebCore::Path::addArcTo):
2009-03-12 Adam Treat <adam.treat@torchmobile.com>
Reviewed by Oliver Hunt.
https://bugs.webkit.org/show_bug.cgi?id=24498
Fix the Qt port to use the same algorithm for drawing dashed and dotted
borders as the other ports. This makes the Qt port pixel-for-pixel perfect
compared to border drawing with Apple's canonical mac port and much closer
to konqueror and firefox behavior.
* platform/graphics/qt/GraphicsContextQt.cpp:
(WebCore::GraphicsContext::drawLine):
2009-03-09 Adam Treat <adam.treat@torchmobile.com>
Reviewed by George Staikos.
https://bugs.webkit.org/show_bug.cgi?id=24463
WebCore::qstring is detaching and copying twice for every single
WebCore::TextRun that is processed and drawn. This elevates this method
to one of the top-ten most expensive methods in all of QtWebKit according
to profiling. This changes the method so that QString only detaches
when absolutely necessary.
* platform/graphics/qt/FontQt.cpp:
(WebCore::qstring):
(WebCore::fixSpacing):
(WebCore::Font::drawComplexText):
(WebCore::Font::floatWidthForComplexText):
(WebCore::Font::offsetForPositionForComplexText):
(WebCore::Font::selectionRectForComplexText):
++ b/WebKit/qt/ChangeLog
2009-03-02 Benjamin C Meyer <benjamin.meyer@torchmobile.com>
Reviewed by George Staikos.
https://bugs.webkit.org/show_bug.cgi?id=21230
On X11 match the behavior of Firefox and also copy the url to the
clipboard selection when the action Copy Link Location is executed.
* Api/qwebpage.cpp:
(QWebPage::triggerAction):
Diffstat (limited to 'src/3rdparty/webkit/JavaScriptCore')
6 files changed, 67 insertions, 5 deletions
diff --git a/src/3rdparty/webkit/JavaScriptCore/ChangeLog b/src/3rdparty/webkit/JavaScriptCore/ChangeLog index fe85bb9..3321570 100644 --- a/src/3rdparty/webkit/JavaScriptCore/ChangeLog +++ b/src/3rdparty/webkit/JavaScriptCore/ChangeLog @@ -1,3 +1,60 @@ +2009-01-22 Oliver Hunt <oliver@apple.com> + + Reviewed by Geoff Garen. + + <rdar://problem/6516853> (r39682-r39736) JSFunFuzz: crash on "(function(){({ x2: x }), })()" + <https://bugs.webkit.org/show_bug.cgi?id=23479> + + Automatic semicolon insertion was resulting in this being accepted in the initial + nodeless parsing, but subsequent reparsing for code generation would fail, leading + to a crash. The solution is to ensure that reparsing a function performs parsing + in the same state as the initial parse. We do this by modifying the saved source + ranges to include rather than exclude the opening and closing braces. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::reparseForExceptionInfoIfNecessary): add an assertion for successful recompile + * parser/Lexer.h: + (JSC::Lexer::sourceCode): include rather than exclude braces. + * parser/Nodes.h: + (JSC::FunctionBodyNode::toSourceString): No need to append braces anymore. + +2009-01-21 Alexey Proskuryakov <ap@webkit.org> + + Suggested by Oliver Hunt. Reviewed by Oliver Hunt. + + https://bugs.webkit.org/show_bug.cgi?id=23456 + Function argument names leak + + * parser/Nodes.cpp: (JSC::FunctionBodyNode::~FunctionBodyNode): Destruct parameter names. + +2009-01-22 Beth Dakin <bdakin@apple.com> + + Reviewed by Sam Weinig. + + Fix for https://bugs.webkit.org/show_bug.cgi?id=23461 LayoutTests/ + fast/js/numeric-conversion.html is broken, and corresponding + <rdar://problem/6514842> + + The basic problem here is that parseInt(Infinity) should be NaN, + but we were returning 0. NaN matches Safari 3.2.1 and Firefox. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncParseInt): + +2009-01-13 Beth Dakin <bdakin@apple.com> + + Reviewed by Darin Adler and Oliver Hunt. + + <rdar://problem/6489314> REGRESSION: Business widget's front side + fails to render correctly when flipping widget + + The problem here is that parseInt was parsing NaN as 0. This patch + corrects that by parsing NaN as NaN. This matches our old behavior + and Firefox. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncParseInt): + 2009-02-13 Adam Treat <adam.treat@torchmobile.com> Reviewed by George Staikos. diff --git a/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp b/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp index 91fb1c0..9207c8a 100644 --- a/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/bytecode/CodeBlock.cpp @@ -1397,6 +1397,7 @@ void CodeBlock::reparseForExceptionInfoIfNecessary(CallFrame* callFrame) case FunctionCode: { FunctionBodyNode* ownerFunctionBodyNode = static_cast<FunctionBodyNode*>(m_ownerNode); RefPtr<FunctionBodyNode> newFunctionBody = m_globalData->parser->reparse<FunctionBodyNode>(m_globalData, ownerFunctionBodyNode); + ASSERT(newFunctionBody); newFunctionBody->finishParsing(ownerFunctionBodyNode->copyParameters(), ownerFunctionBodyNode->parameterCount()); CodeBlock& newCodeBlock = newFunctionBody->bytecodeForExceptionInfoReparse(scopeChain); ASSERT(newCodeBlock.m_exceptionInfo); diff --git a/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h b/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h index cb553af..afcf09f 100644 --- a/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h +++ b/src/3rdparty/webkit/JavaScriptCore/parser/Lexer.h @@ -88,7 +88,7 @@ namespace JSC { bool sawError() const { return m_error; } void clear(); - SourceCode sourceCode(int openBrace, int closeBrace, int firstLine) { return SourceCode(m_source->provider(), openBrace + 1, closeBrace, firstLine); } + SourceCode sourceCode(int openBrace, int closeBrace, int firstLine) { return SourceCode(m_source->provider(), openBrace, closeBrace + 1, firstLine); } private: friend class JSGlobalData; diff --git a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp index bdc5d2f..201af28 100644 --- a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.cpp @@ -2552,6 +2552,8 @@ FunctionBodyNode::FunctionBodyNode(JSGlobalData* globalData, SourceElements* chi FunctionBodyNode::~FunctionBodyNode() { ASSERT(!m_refCount); + for (size_t i = 0; i < m_parameterCount; ++i) + m_parameters[i].~Identifier(); fastFree(m_parameters); } diff --git a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h index f8512f7..20885c3 100644 --- a/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h +++ b/src/3rdparty/webkit/JavaScriptCore/parser/Nodes.h @@ -2205,7 +2205,7 @@ namespace JSC { void finishParsing(const SourceCode&, ParameterNode*); void finishParsing(Identifier* parameters, size_t parameterCount); - UString toSourceString() const JSC_FAST_CALL { return UString("{") + source().toString() + UString("}"); } + UString toSourceString() const JSC_FAST_CALL { return source().toString(); } // These objects are ref/deref'd a lot in the scope chain, so this is a faster ref/deref. // If the virtual machine changes so this doesn't happen as much we can change back. diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp b/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp index f12d2f3..ecdddcf 100644 --- a/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp @@ -302,9 +302,11 @@ JSValuePtr globalFuncParseInt(ExecState* exec, JSObject*, JSValuePtr, const ArgL if (JSImmediate::isImmediate(value)) return value; double d = value->uncheckedGetNumber(); - if (!isfinite(d)) - return JSImmediate::zeroImmediate(); - return jsNumber(exec, floor(d)); + if (isfinite(d)) + return jsNumber(exec, floor(d)); + if (isnan(d) || isinf(d)) + return jsNaN(&exec->globalData()); + return JSImmediate::zeroImmediate(); } return jsNumber(exec, parseInt(value->toString(exec), radix)); |