From 26c2c1dbad1cdeec77497ff6f1085f49d831b921 Mon Sep 17 00:00:00 2001 From: Kent Hansen Date: Wed, 7 Apr 2010 18:35:43 +0200 Subject: Updated JavaScriptCore from /home/khansen/dev/qtwebkit-qtscript-integration to javascriptcore-snapshot-07042010 ( 42ad198e900e439f01d2062ad93d03043c68a309 ) https://bugs.webkit.org/show_bug.cgi?id=36511 Safari freezes when using SPUTNIK JavaScript conformance check --- .../javascriptcore/JavaScriptCore/ChangeLog | 29 ++++++++++++++++++++++ .../JavaScriptCore/runtime/ArrayPrototype.cpp | 19 ++++++++------ src/3rdparty/javascriptcore/VERSION | 2 +- 3 files changed, 42 insertions(+), 8 deletions(-) diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog index 0112e38..3e8cb66 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog +++ b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog @@ -1,3 +1,32 @@ +2010-03-23 Mark Rowe + + Build fix. + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncSplice): Some versions of GCC emit a warning about the implicit 64- to 32-bit truncation + that takes place here. An explicit cast is sufficient to silence it. + +2010-03-23 Alexey Proskuryakov + + Build fix. + + * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): Fixed a typo - length doesn't + need to be converted with toInteger(). + +2010-03-23 Alexey Proskuryakov + + Reviewed by Geoff Garen. + + https://bugs.webkit.org/show_bug.cgi?id=36511 + Safari freezes when using SPUTNIK JavaScript conformance check + + Test: fast/js/sputnik-S15.4.4.12_A3_T3.html + + * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): We were incorrectly computing + the start offset, and iterated over (almost) all integers. Note that this can be fixed + without using doubles, but the code would be much more complicated, and there is no important + reason to stick to integers here. + 2010-03-22 Geoffrey Garen Reviewed by Sam Weinig. diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp index ce814b2..e160364 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/runtime/ArrayPrototype.cpp @@ -531,14 +531,19 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t // 15.4.4.12 JSArray* resObj = constructEmptyArray(exec); JSValue result = resObj; - unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec); + + // FIXME: Firefox returns an empty array. if (!args.size()) return jsUndefined(); - int begin = args.at(0).toUInt32(exec); - if (begin < 0) - begin = std::max(begin + length, 0); - else - begin = std::min(begin, length); + + unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec); + double relativeBegin = args.at(0).toInteger(exec); + unsigned begin; + if (relativeBegin < 0) { + relativeBegin += length; + begin = (relativeBegin < 0) ? 0 : static_cast(relativeBegin); + } else + begin = std::min(static_cast(relativeBegin), length); unsigned deleteCount; if (args.size() > 1) @@ -564,7 +569,7 @@ JSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec, JSObject*, JSValue t for (unsigned k = length; k > length - deleteCount + additionalArgs; --k) thisObj->deleteProperty(exec, k - 1); } else { - for (unsigned k = length - deleteCount; (int)k > begin; --k) { + for (unsigned k = length - deleteCount; k > begin; --k) { if (JSValue obj = getProperty(exec, thisObj, k + deleteCount - 1)) thisObj->put(exec, k + additionalArgs - 1, obj); else diff --git a/src/3rdparty/javascriptcore/VERSION b/src/3rdparty/javascriptcore/VERSION index 695f401..c9861de 100644 --- a/src/3rdparty/javascriptcore/VERSION +++ b/src/3rdparty/javascriptcore/VERSION @@ -8,4 +8,4 @@ The commit imported was from the and has the sha1 checksum - 499bdb98708eba4bd40532c70179bf45b43ad068 + 42ad198e900e439f01d2062ad93d03043c68a309 -- cgit v0.12