<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[45696] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/45696">45696</a></dd>
<dt>Author</dt> <dd>mjs@apple.com</dd>
<dt>Date</dt> <dd>2009-07-09 20:45:23 -0700 (Thu, 09 Jul 2009)</dd>
</dl>

<h3>Log Message</h3>
<pre>2009-07-09  Maciej Stachowiak  &lt;mjs@apple.com&gt;

        Reviewed by Darin Adler.

        REGRESSION: crash in edge cases of floating point parsing.
        https://bugs.webkit.org/show_bug.cgi?id=27110
        &lt;rdar://problem/7044458&gt;
        
        Tests: fast/css/number-parsing-crash.html
               fast/css/number-parsing-crash.html
               fast/js/number-parsing-crash.html
        
        * wtf/dtoa.cpp:
        (WTF::BigInt::BigInt): Converted this to more a proper class, using a Vector
        with inline capacity

        (WTF::lshift): Rearranged logic somewhat nontrivially to deal with the new way of sizing BigInts.
        Added an assertion to verify that invariants are maintained.

        All other functions are adapted fairly mechanically to the above changes.
        (WTF::BigInt::clear):
        (WTF::BigInt::size):
        (WTF::BigInt::resize):
        (WTF::BigInt::words):
        (WTF::BigInt::append):
        (WTF::multadd):
        (WTF::s2b):
        (WTF::i2b):
        (WTF::mult):
        (WTF::cmp):
        (WTF::diff):
        (WTF::b2d):
        (WTF::d2b):
        (WTF::ratio):
        (WTF::strtod):
        (WTF::quorem):
        (WTF::dtoa):

2009-07-09  Maciej Stachowiak  &lt;mjs@apple.com&gt;

        Reviewed by Darin Adler.
        
        REGRESSION: crash in edge cases of floating point parsing.
        &lt;rdar://problem/7044458&gt;
        https://bugs.webkit.org/show_bug.cgi?id=27110
        
        Test cases for both JavaScript and CSS use of dtoa.

        * fast/css/number-parsing-crash-2-expected.txt: Added.
        * fast/css/number-parsing-crash-2.html: Added.
        * fast/css/number-parsing-crash-expected.txt: Added.
        * fast/css/number-parsing-crash.html: Added.
        * fast/js/number-parsing-crash-expected.txt: Added.
        * fast/js/number-parsing-crash.html: Added.
        * fast/js/resources/number-parsing-crash.js: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJavaScriptCoreChangeLog">trunk/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkJavaScriptCorewtfdtoacpp">trunk/JavaScriptCore/wtf/dtoa.cpp</a></li>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastcssnumberparsingcrash2expectedtxt">trunk/LayoutTests/fast/css/number-parsing-crash-2-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastcssnumberparsingcrash2html">trunk/LayoutTests/fast/css/number-parsing-crash-2.html</a></li>
<li><a href="#trunkLayoutTestsfastcssnumberparsingcrashexpectedtxt">trunk/LayoutTests/fast/css/number-parsing-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastcssnumberparsingcrashhtml">trunk/LayoutTests/fast/css/number-parsing-crash.html</a></li>
<li><a href="#trunkLayoutTestsfastjsnumberparsingcrashexpectedtxt">trunk/LayoutTests/fast/js/number-parsing-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastjsnumberparsingcrashhtml">trunk/LayoutTests/fast/js/number-parsing-crash.html</a></li>
<li><a href="#trunkLayoutTestsfastjsresourcesnumberparsingcrashjs">trunk/LayoutTests/fast/js/resources/number-parsing-crash.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JavaScriptCore/ChangeLog (45695 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JavaScriptCore/ChangeLog        2009-07-10 03:20:07 UTC (rev 45695)
+++ trunk/JavaScriptCore/ChangeLog        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -1,3 +1,41 @@
</span><ins>+2009-07-09  Maciej Stachowiak  &lt;mjs@apple.com&gt;
+
+        Reviewed by Darin Adler.
+
+        REGRESSION: crash in edge cases of floating point parsing.
+        https://bugs.webkit.org/show_bug.cgi?id=27110
+        &lt;rdar://problem/7044458&gt;
+        
+        Tests: fast/css/number-parsing-crash.html
+               fast/css/number-parsing-crash.html
+               fast/js/number-parsing-crash.html
+        
+        * wtf/dtoa.cpp:
+        (WTF::BigInt::BigInt): Converted this to more a proper class, using a Vector
+        with inline capacity
+
+        (WTF::lshift): Rearranged logic somewhat nontrivially to deal with the new way of sizing BigInts.
+        Added an assertion to verify that invariants are maintained.
+
+        All other functions are adapted fairly mechanically to the above changes.
+        (WTF::BigInt::clear):
+        (WTF::BigInt::size):
+        (WTF::BigInt::resize):
+        (WTF::BigInt::words):
+        (WTF::BigInt::append):
+        (WTF::multadd):
+        (WTF::s2b):
+        (WTF::i2b):
+        (WTF::mult):
+        (WTF::cmp):
+        (WTF::diff):
+        (WTF::b2d):
+        (WTF::d2b):
+        (WTF::ratio):
+        (WTF::strtod):
+        (WTF::quorem):
+        (WTF::dtoa):
+
</ins><span class="cx"> 2009-07-09  Drew Wilson  &lt;atwilson@google.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Reviewed by Alexey Proskuryakov.
</span></span></pre></div>
<a id="trunkJavaScriptCorewtfdtoacpp"></a>
<div class="modfile"><h4>Modified: trunk/JavaScriptCore/wtf/dtoa.cpp (45695 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JavaScriptCore/wtf/dtoa.cpp        2009-07-10 03:20:07 UTC (rev 45695)
+++ trunk/JavaScriptCore/wtf/dtoa.cpp        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -255,6 +255,8 @@
</span><span class="cx"> #define Big0 (Frac_mask1 | Exp_msk1 * (DBL_MAX_EXP + Bias - 1))
</span><span class="cx"> #define Big1 0xffffffff
</span><span class="cx"> 
</span><ins>+
+// FIXME: we should remove non-Pack_32 mode since it is unused and unmaintained
</ins><span class="cx"> #ifndef Pack_32
</span><span class="cx"> #define Pack_32
</span><span class="cx"> #endif
</span><span class="lines">@@ -278,25 +280,41 @@
</span><span class="cx"> #define Kmax 15
</span><span class="cx"> 
</span><span class="cx"> struct BigInt {
</span><del>-    BigInt() : sign(0), wds(0) { }
-    BigInt(const BigInt&amp; other) : sign(other.sign), wds(other.wds) 
</del><ins>+    BigInt() : sign(0) { }
+    int sign;
+
+    void clear()
</ins><span class="cx">     {
</span><del>-        for (int i = 0; i &lt; 64; ++i)
-            x[i] = other.x[i];
</del><ins>+        sign = 0;
+        m_words.clear();
</ins><span class="cx">     }
</span><ins>+    
+    size_t size() const
+    {
+        return m_words.size();
+    }
</ins><span class="cx"> 
</span><del>-    BigInt&amp; operator=(const BigInt&amp; other) 
</del><ins>+    void resize(size_t s)
</ins><span class="cx">     {
</span><del>-        sign = other.sign;
-        wds = other.wds;
-        for (int i = 0; i &lt; 64; ++i)
-            x[i] = other.x[i];        
-        return *this;
</del><ins>+        m_words.resize(s);
</ins><span class="cx">     }
</span><ins>+            
+    uint32_t* words()
+    {
+        return m_words.data();
+    }
+
+    const uint32_t* words() const
+    {
+        return m_words.data();
+    }
</ins><span class="cx">     
</span><del>-    int sign;
-    int wds;
-    uint32_t x[64];
</del><ins>+    void append(uint32_t w)
+    {
+        m_words.append(w);
+    }
+    
+    Vector&lt;uint32_t, 16&gt; m_words;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> static void multadd(BigInt&amp; b, int m, int a)    /* multiply by m and add a */
</span><span class="lines">@@ -307,8 +325,8 @@
</span><span class="cx">     uint32_t carry;
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    int wds = b.wds;
-    uint32_t* x = b.x;
</del><ins>+    int wds = b.size();
+    uint32_t* x = b.words();
</ins><span class="cx">     int i = 0;
</span><span class="cx">     carry = a;
</span><span class="cx">     do {
</span><span class="lines">@@ -331,10 +349,8 @@
</span><span class="cx"> #endif
</span><span class="cx">     } while (++i &lt; wds);
</span><span class="cx"> 
</span><del>-    if (carry) {
-        b.x[wds++] = (uint32_t)carry;
-        b.wds = wds;
-    }
</del><ins>+    if (carry)
+        b.append((uint32_t)carry);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static void s2b(BigInt&amp; b, const char* s, int nd0, int nd, uint32_t y9)
</span><span class="lines">@@ -346,12 +362,12 @@
</span><span class="cx">     for (k = 0, y = 1; x &gt; y; y &lt;&lt;= 1, k++) { }
</span><span class="cx"> #ifdef Pack_32
</span><span class="cx">     b.sign = 0;
</span><del>-    b.x[0] = y9;
-    b.wds = 1;
</del><ins>+    b.resize(1);
+    b.words()[0] = y9;
</ins><span class="cx"> #else
</span><span class="cx">     b.sign = 0;
</span><del>-    b.x[0] = y9 &amp; 0xffff;
-    b.wds = (b-&gt;x[1] = y9 &gt;&gt; 16) ? 2 : 1;
</del><ins>+    b.resize((b-&gt;x[1] = y9 &gt;&gt; 16) ? 2 : 1);
+    b.words()[0] = y9 &amp; 0xffff;
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">     int i = 9;
</span><span class="lines">@@ -440,8 +456,8 @@
</span><span class="cx"> static void i2b(BigInt&amp; b, int i)
</span><span class="cx"> {
</span><span class="cx">     b.sign = 0;
</span><del>-    b.x[0] = i;
-    b.wds = 1;
</del><ins>+    b.resize(1);
+    b.words()[0] = i;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static void mult(BigInt&amp; aRef, const BigInt&amp; bRef)
</span><span class="lines">@@ -459,23 +475,24 @@
</span><span class="cx">     uint32_t carry, z;
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    if (a-&gt;wds &lt; b-&gt;wds) {
</del><ins>+    if (a-&gt;size() &lt; b-&gt;size()) {
</ins><span class="cx">         const BigInt* tmp = a;
</span><span class="cx">         a = b;
</span><span class="cx">         b = tmp;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    wa = a-&gt;wds;
-    wb = b-&gt;wds;
</del><ins>+    wa = a-&gt;size();
+    wb = b-&gt;size();
</ins><span class="cx">     wc = wa + wb;
</span><ins>+    c.resize(wc);
</ins><span class="cx"> 
</span><del>-    for (xc = c.x, xa = xc + wc; xc &lt; xa; xc++)
</del><ins>+    for (xc = c.words(), xa = xc + wc; xc &lt; xa; xc++)
</ins><span class="cx">         *xc = 0;
</span><del>-    xa = a-&gt;x;
</del><ins>+    xa = a-&gt;words();
</ins><span class="cx">     xae = xa + wa;
</span><del>-    xb = b-&gt;x;
</del><ins>+    xb = b-&gt;words();
</ins><span class="cx">     xbe = xb + wb;
</span><del>-    xc0 = c.x;
</del><ins>+    xc0 = c.words();
</ins><span class="cx"> #ifdef USE_LONG_LONG
</span><span class="cx">     for (; xb &lt; xbe; xc0++) {
</span><span class="cx">         if ((y = *xb++)) {
</span><span class="lines">@@ -537,8 +554,8 @@
</span><span class="cx">     }
</span><span class="cx"> #endif
</span><span class="cx"> #endif
</span><del>-    for (xc0 = c.x, xc = xc0 + wc; wc &gt; 0 &amp;&amp; !*--xc; --wc) { }
-    c.wds = wc;
</del><ins>+    for (xc0 = c.words(), xc = xc0 + wc; wc &gt; 0 &amp;&amp; !*--xc; --wc) { }
+    c.resize(wc);
</ins><span class="cx">     aRef = c;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -617,14 +634,20 @@
</span><span class="cx">     int n = k &gt;&gt; 4;
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    int n1 = n + b.wds + 1;
</del><ins>+    int origSize = b.size();
+    int n1 = n + origSize + 1;
</ins><span class="cx"> 
</span><del>-    const uint32_t* srcStart = b.x;
-    uint32_t* dstStart = b.x;
-    const uint32_t* src = srcStart + b.wds - 1;
</del><ins>+    if (k &amp;= 0x1f)
+        b.resize(b.size() + n + 1);
+    else
+        b.resize(b.size() + n);
+
+    const uint32_t* srcStart = b.words();
+    uint32_t* dstStart = b.words();
+    const uint32_t* src = srcStart + origSize - 1;
</ins><span class="cx">     uint32_t* dst = dstStart + n1 - 1;
</span><span class="cx"> #ifdef Pack_32
</span><del>-    if (k &amp;= 0x1f) {
</del><ins>+    if (k) {
</ins><span class="cx">         uint32_t hiSubword = 0;
</span><span class="cx">         int s = 32 - k;
</span><span class="cx">         for (; src &gt;= srcStart; --src) {
</span><span class="lines">@@ -633,7 +656,8 @@
</span><span class="cx">         }
</span><span class="cx">         *dst = hiSubword;
</span><span class="cx">         ASSERT(dst == dstStart + n);
</span><del>-        b.wds = b.wds + n + (b.x[n1 - 1] != 0);
</del><ins>+
+        b.resize(origSize + n + (b.words()[n1 - 1] != 0));
</ins><span class="cx">     }
</span><span class="cx"> #else
</span><span class="cx">     if (k &amp;= 0xf) {
</span><span class="lines">@@ -652,10 +676,11 @@
</span><span class="cx">         do {
</span><span class="cx">             *--dst = *src--;
</span><span class="cx">         } while (src &gt;= srcStart);
</span><del>-        b.wds = b.wds + n;
</del><span class="cx">     }
</span><span class="cx">     for (dst = dstStart + n; dst != dstStart; )
</span><span class="cx">         *--dst = 0;
</span><ins>+
+    ASSERT(b.size() &lt;= 1 || b.words()[b.size() - 1]);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static int cmp(const BigInt&amp; a, const BigInt&amp; b)
</span><span class="lines">@@ -663,15 +688,15 @@
</span><span class="cx">     const uint32_t *xa, *xa0, *xb, *xb0;
</span><span class="cx">     int i, j;
</span><span class="cx"> 
</span><del>-    i = a.wds;
-    j = b.wds;
-    ASSERT(i &lt;= 1 || a.x[i - 1]);
-    ASSERT(j &lt;= 1 || b.x[j - 1]);
</del><ins>+    i = a.size();
+    j = b.size();
+    ASSERT(i &lt;= 1 || a.words()[i - 1]);
+    ASSERT(j &lt;= 1 || b.words()[j - 1]);
</ins><span class="cx">     if (i -= j)
</span><span class="cx">         return i;
</span><del>-    xa0 = a.x;
</del><ins>+    xa0 = a.words();
</ins><span class="cx">     xa = xa0 + j;
</span><del>-    xb0 = b.x;
</del><ins>+    xb0 = b.words();
</ins><span class="cx">     xb = xb0 + j;
</span><span class="cx">     for (;;) {
</span><span class="cx">         if (*--xa != *--xb)
</span><span class="lines">@@ -692,8 +717,8 @@
</span><span class="cx">     i = cmp(*a, *b);
</span><span class="cx">     if (!i) {
</span><span class="cx">         c.sign = 0;
</span><del>-        c.wds = 1;
-        c.x[0] = 0;
</del><ins>+        c.resize(1);
+        c.words()[0] = 0;
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     if (i &lt; 0) {
</span><span class="lines">@@ -704,15 +729,16 @@
</span><span class="cx">     } else
</span><span class="cx">         i = 0;
</span><span class="cx"> 
</span><del>-    c.wds = 0;
-    c.sign = i;
-    wa = a-&gt;wds;
-    const uint32_t* xa = a-&gt;x;
</del><ins>+    wa = a-&gt;size();
+    const uint32_t* xa = a-&gt;words();
</ins><span class="cx">     const uint32_t* xae = xa + wa;
</span><del>-    wb = b-&gt;wds;
-    const uint32_t* xb = b-&gt;x;
</del><ins>+    wb = b-&gt;size();
+    const uint32_t* xb = b-&gt;words();
</ins><span class="cx">     const uint32_t* xbe = xb + wb;
</span><del>-    xc = c.x;
</del><ins>+
+    c.resize(wa);
+    c.sign = i;
+    xc = c.words();
</ins><span class="cx"> #ifdef USE_LONG_LONG
</span><span class="cx">     unsigned long long borrow = 0;
</span><span class="cx">     do {
</span><span class="lines">@@ -757,7 +783,7 @@
</span><span class="cx"> #endif
</span><span class="cx">     while (!*--xc)
</span><span class="cx">         wa--;
</span><del>-    c.wds = wa;
</del><ins>+    c.resize(wa);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static double ulp(U *x)
</span><span class="lines">@@ -804,8 +830,8 @@
</span><span class="cx"> #define d0 word0(&amp;d)
</span><span class="cx"> #define d1 word1(&amp;d)
</span><span class="cx"> 
</span><del>-    xa0 = a.x;
-    xa = xa0 + a.wds;
</del><ins>+    xa0 = a.words();
+    xa = xa0 + a.size();
</ins><span class="cx">     y = *--xa;
</span><span class="cx">     ASSERT(y);
</span><span class="cx">     k = hi0bits(y);
</span><span class="lines">@@ -860,11 +886,11 @@
</span><span class="cx"> 
</span><span class="cx">     b.sign = 0;
</span><span class="cx"> #ifdef Pack_32
</span><del>-    b.wds = 1;
</del><ins>+    b.resize(1);
</ins><span class="cx"> #else
</span><del>-    b.wds = 2;
</del><ins>+    b.resize(2);
</ins><span class="cx"> #endif
</span><del>-    x = b.x;
</del><ins>+    x = b.words();
</ins><span class="cx"> 
</span><span class="cx">     z = d0 &amp; Frac_mask;
</span><span class="cx">     d0 &amp;= 0x7fffffff;    /* clear sign bit, which we ignore */
</span><span class="lines">@@ -881,17 +907,21 @@
</span><span class="cx">             z &gt;&gt;= k;
</span><span class="cx">         } else
</span><span class="cx">             x[0] = y;
</span><ins>+            if (z) {
+                b.resize(2);
+                x[1] = z;
+            }
+
</ins><span class="cx"> #ifndef Sudden_Underflow
</span><del>-        i =
</del><ins>+        i = b.size();
</ins><span class="cx"> #endif
</span><del>-            b.wds = (x[1] = z) ? 2 : 1;
</del><span class="cx">     } else {
</span><span class="cx">         k = lo0bits(&amp;z);
</span><span class="cx">         x[0] = z;
</span><span class="cx"> #ifndef Sudden_Underflow
</span><del>-        i =
</del><ins>+        i = 1;
</ins><span class="cx"> #endif
</span><del>-            b.wds = 1;
</del><ins>+        b.resize(1);
</ins><span class="cx">         k += 32;
</span><span class="cx">     }
</span><span class="cx"> #else
</span><span class="lines">@@ -929,7 +959,7 @@
</span><span class="cx">         k += 32;
</span><span class="cx">     } while (!x[i])
</span><span class="cx">         --i;
</span><del>-    b-&gt;wds = i + 1;
</del><ins>+    b-&gt;resize(i + 1);
</ins><span class="cx"> #endif
</span><span class="cx"> #ifndef Sudden_Underflow
</span><span class="cx">     if (de) {
</span><span class="lines">@@ -958,9 +988,9 @@
</span><span class="cx">     dval(&amp;da) = b2d(a, &amp;ka);
</span><span class="cx">     dval(&amp;db) = b2d(b, &amp;kb);
</span><span class="cx"> #ifdef Pack_32
</span><del>-    k = ka - kb + 32 * (a.wds - b.wds);
</del><ins>+    k = ka - kb + 32 * (a.size() - b.size());
</ins><span class="cx"> #else
</span><del>-    k = ka - kb + 16 * (a.wds - b.wds);
</del><ins>+    k = ka - kb + 16 * (a.size() - b.size());
</ins><span class="cx"> #endif
</span><span class="cx">     if (k &gt; 0)
</span><span class="cx">         word0(&amp;da) += k * Exp_msk1;
</span><span class="lines">@@ -1452,12 +1482,12 @@
</span><span class="cx"> #endif
</span><span class="cx">                 ) {
</span><span class="cx"> #ifdef SET_INEXACT
</span><del>-                if (!delta-&gt;x[0] &amp;&amp; delta-&gt;wds &lt;= 1)
</del><ins>+                if (!delta-&gt;words()[0] &amp;&amp; delta-&gt;size() &lt;= 1)
</ins><span class="cx">                     inexact = 0;
</span><span class="cx"> #endif
</span><span class="cx">                 break;
</span><span class="cx">             }
</span><del>-            if (!delta.x[0] &amp;&amp; delta.wds &lt;= 1) {
</del><ins>+            if (!delta.words()[0] &amp;&amp; delta.size() &lt;= 1) {
</ins><span class="cx">                 /* exact result */
</span><span class="cx"> #ifdef SET_INEXACT
</span><span class="cx">                 inexact = 0;
</span><span class="lines">@@ -1700,7 +1730,7 @@
</span><span class="cx"> 
</span><span class="cx"> static ALWAYS_INLINE int quorem(BigInt&amp; b, BigInt&amp; S)
</span><span class="cx"> {
</span><del>-    int n;
</del><ins>+    size_t n;
</ins><span class="cx">     uint32_t *bx, *bxe, q, *sx, *sxe;
</span><span class="cx"> #ifdef USE_LONG_LONG
</span><span class="cx">     unsigned long long borrow, carry, y, ys;
</span><span class="lines">@@ -1710,14 +1740,16 @@
</span><span class="cx">     uint32_t si, z, zs;
</span><span class="cx"> #endif
</span><span class="cx"> #endif
</span><ins>+    ASSERT(b.size() &lt;= 1 || b.words()[b.size() - 1]);
+    ASSERT(S.size() &lt;= 1 || S.words()[S.size() - 1]);
</ins><span class="cx"> 
</span><del>-    n = S.wds;
-    ASSERT_WITH_MESSAGE(b.wds &lt;= n, &quot;oversize b in quorem&quot;);
-    if (b.wds &lt; n)
</del><ins>+    n = S.size();
+    ASSERT_WITH_MESSAGE(b.size() &lt;= n, &quot;oversize b in quorem&quot;);
+    if (b.size() &lt; n)
</ins><span class="cx">         return 0;
</span><del>-    sx = S.x;
</del><ins>+    sx = S.words();
</ins><span class="cx">     sxe = sx + --n;
</span><del>-    bx = b.x;
</del><ins>+    bx = b.words();
</ins><span class="cx">     bxe = bx + n;
</span><span class="cx">     q = *bxe / (*sxe + 1);    /* ensure q &lt;= true quotient */
</span><span class="cx">     ASSERT_WITH_MESSAGE(q &lt;= 9, &quot;oversized quotient in quorem&quot;);
</span><span class="lines">@@ -1752,18 +1784,18 @@
</span><span class="cx"> #endif
</span><span class="cx">         } while (sx &lt;= sxe);
</span><span class="cx">         if (!*bxe) {
</span><del>-            bx = b.x;
</del><ins>+            bx = b.words();
</ins><span class="cx">             while (--bxe &gt; bx &amp;&amp; !*bxe)
</span><span class="cx">                 --n;
</span><del>-            b.wds = n;
</del><ins>+            b.resize(n);
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     if (cmp(b, S) &gt;= 0) {
</span><span class="cx">         q++;
</span><span class="cx">         borrow = 0;
</span><span class="cx">         carry = 0;
</span><del>-        bx = b.x;
-        sx = S.x;
</del><ins>+        bx = b.words();
+        sx = S.words();
</ins><span class="cx">         do {
</span><span class="cx"> #ifdef USE_LONG_LONG
</span><span class="cx">             ys = *sx++ + carry;
</span><span class="lines">@@ -1791,12 +1823,12 @@
</span><span class="cx"> #endif
</span><span class="cx"> #endif
</span><span class="cx">         } while (sx &lt;= sxe);
</span><del>-        bx = b.x;
</del><ins>+        bx = b.words();
</ins><span class="cx">         bxe = bx + n;
</span><span class="cx">         if (!*bxe) {
</span><span class="cx">             while (--bxe &gt; bx &amp;&amp; !*bxe)
</span><span class="cx">                 --n;
</span><del>-            b.wds = n;
</del><ins>+            b.resize(n);
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     return q;
</span><span class="lines">@@ -2027,7 +2059,8 @@
</span><span class="cx">         dval(&amp;eps) = (ieps * dval(&amp;u)) + 7.;
</span><span class="cx">         word0(&amp;eps) -= (P - 1) * Exp_msk1;
</span><span class="cx">         if (ilim == 0) {
</span><del>-            S = mhi = BigInt();
</del><ins>+            S.clear();
+            mhi.clear();
</ins><span class="cx">             dval(&amp;u) -= 5.;
</span><span class="cx">             if (dval(&amp;u) &gt; dval(&amp;eps))
</span><span class="cx">                 goto one_digit;
</span><span class="lines">@@ -2090,7 +2123,8 @@
</span><span class="cx">         /* Yes. */
</span><span class="cx">         ds = tens[k];
</span><span class="cx">         if (ndigits &lt; 0 &amp;&amp; ilim &lt;= 0) {
</span><del>-            S = mhi = BigInt();
</del><ins>+            S.clear();
+            mhi.clear();
</ins><span class="cx">             if (ilim &lt; 0 || dval(&amp;u) &lt;= 5 * ds)
</span><span class="cx">                 goto no_digits;
</span><span class="cx">             goto one_digit;
</span><span class="lines">@@ -2132,7 +2166,8 @@
</span><span class="cx"> 
</span><span class="cx">     m2 = b2;
</span><span class="cx">     m5 = b5;
</span><del>-    mhi = mlo = BigInt();
</del><ins>+    mhi.clear();
+    mlo.clear();
</ins><span class="cx">     if (leftright) {
</span><span class="cx">         i =
</span><span class="cx"> #ifndef Sudden_Underflow
</span><span class="lines">@@ -2186,10 +2221,10 @@
</span><span class="cx">      * can do shifts and ors to compute the numerator for q.
</span><span class="cx">      */
</span><span class="cx"> #ifdef Pack_32
</span><del>-    if ((i = ((s5 ? 32 - hi0bits(S.x[S.wds - 1]) : 1) + s2) &amp; 0x1f))
</del><ins>+    if ((i = ((s5 ? 32 - hi0bits(S.words()[S.size() - 1]) : 1) + s2) &amp; 0x1f))
</ins><span class="cx">         i = 32 - i;
</span><span class="cx"> #else
</span><del>-    if ((i = ((s5 ? 32 - hi0bits(S.x[S.wds - 1]) : 1) + s2) &amp; 0xf))
</del><ins>+    if ((i = ((s5 ? 32 - hi0bits(S.words()[S.size() - 1]) : 1) + s2) &amp; 0xf))
</ins><span class="cx">         i = 16 - i;
</span><span class="cx"> #endif
</span><span class="cx">     if (i &gt; 4) {
</span><span class="lines">@@ -2252,7 +2287,7 @@
</span><span class="cx">                 goto ret;
</span><span class="cx">             }
</span><span class="cx">             if (j &lt; 0 || (j == 0 &amp;&amp; !(word1(&amp;u) &amp; 1))) {
</span><del>-                if (!b.x[0] &amp;&amp; b.wds &lt;= 1) {
</del><ins>+                if (!b.words()[0] &amp;&amp; b.size() &lt;= 1) {
</ins><span class="cx"> #ifdef SET_INEXACT
</span><span class="cx">                     inexact = 0;
</span><span class="cx"> #endif
</span><span class="lines">@@ -2287,7 +2322,7 @@
</span><span class="cx">     } else
</span><span class="cx">         for (i = 1;; i++) {
</span><span class="cx">             *s++ = dig = quorem(b,S) + '0';
</span><del>-            if (!b.x[0] &amp;&amp; b.wds &lt;= 1) {
</del><ins>+            if (!b.words()[0] &amp;&amp; b.size() &lt;= 1) {
</ins><span class="cx"> #ifdef SET_INEXACT
</span><span class="cx">                 inexact = 0;
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (45695 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2009-07-10 03:20:07 UTC (rev 45695)
+++ trunk/LayoutTests/ChangeLog        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2009-07-09  Maciej Stachowiak  &lt;mjs@apple.com&gt;
+
+        Reviewed by Darin Adler.
+        
+        REGRESSION: crash in edge cases of floating point parsing.
+        &lt;rdar://problem/7044458&gt;
+        https://bugs.webkit.org/show_bug.cgi?id=27110
+        
+        Test cases for both JavaScript and CSS use of dtoa.
+
+        * fast/css/number-parsing-crash-2-expected.txt: Added.
+        * fast/css/number-parsing-crash-2.html: Added.
+        * fast/css/number-parsing-crash-expected.txt: Added.
+        * fast/css/number-parsing-crash.html: Added.
+        * fast/js/number-parsing-crash-expected.txt: Added.
+        * fast/js/number-parsing-crash.html: Added.
+        * fast/js/resources/number-parsing-crash.js: Added.
+
</ins><span class="cx"> 2009-07-09  Drew Wilson  &lt;atwilson@google.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Reviewed by Alexey Proskuryakov.
</span></span></pre></div>
<a id="trunkLayoutTestsfastcssnumberparsingcrash2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/css/number-parsing-crash-2-expected.txt (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/css/number-parsing-crash-2-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/css/number-parsing-crash-2-expected.txt        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+This should not crash.
+An example of a bouncing box
+
+It's just a jump to the left. And then a step to the right.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastcssnumberparsingcrash2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/css/number-parsing-crash-2.html (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/css/number-parsing-crash-2.html                                (rev 0)
+++ trunk/LayoutTests/fast/css/number-parsing-crash-2.html        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.01//EN&quot; &quot;http://www.w3.org/TR/html4/strict.dtd&quot;&gt;
+&lt;html&gt;&lt;head&gt;
+
+  
+    &lt;meta http-equiv=&quot;Content-type&quot; content=&quot;text/html; charset=UTF-8&quot;&gt;
+    &lt;title&gt;Bouncing Box example&lt;/title&gt;
+    &lt;style type=&quot;text/css&quot; media=&quot;screen&quot;&gt;
+
+      @-webkit-keyframes bounce {
+       from {
+         left: 0px;
+       }
+       to {
+         left: 200px;
+       }
+      }
+
+      div {
+       -webkit-animation-name: bounce;
+       -webkit-animation-duration: 4s;
+       -webkit-animation-iteration-count: 10;
+       -webkit-animation-direction: alternate;
+        width: 40%;
+        padding: 
 
 
 
 
 
 
 
 
 
 
 
 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111em 1em;
+        position: relative;
+        left: 0px;
+        background: #aaaaff;
+      }
+      
+    &lt;/style&gt;
+  &lt;/head&gt;&lt;body&gt;
+This should not crash.
+
+&lt;script&gt;
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+&lt;/script&gt;
+
+    &lt;h1&gt;An example of a bouncing box&lt;/h1&gt;
+    
+    &lt;div&gt;
+      &lt;p&gt;
+        It's just a jump to the left. And then a step to the right.
+      &lt;/p&gt;
+    &lt;/div&gt;
+    
+  &lt;/body&gt;&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsfastcssnumberparsingcrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/css/number-parsing-crash-expected.txt (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/css/number-parsing-crash-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/css/number-parsing-crash-expected.txt        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+This should not crash.  
</ins></span></pre></div>
<a id="trunkLayoutTestsfastcssnumberparsingcrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/css/number-parsing-crash.html (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/css/number-parsing-crash.html                                (rev 0)
+++ trunk/LayoutTests/fast/css/number-parsing-crash.html        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+This should not crash.
+
+&lt;script&gt;
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+&lt;/script&gt;
+
+&lt;img src=&quot;bubbles.jpg&quot; style=&quot;border:5px solid white;-webkit-box-reflect:below 5px -webkit-gradient(linear, left top, left bottom, from(transparent), color-stop
 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111, transparent), to(white));&quot;&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsfastjsnumberparsingcrashexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/js/number-parsing-crash-expected.txt (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/js/number-parsing-crash-expected.txt                                (rev 0)
+++ trunk/LayoutTests/fast/js/number-parsing-crash-expected.txt        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests edge cases of number parsing.
+
+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.
+
+
+FAIL x.toString() should be 0.1111111111111111 (of type number). Was 0.1111111111111111 (of type string).
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfastjsnumberparsingcrashhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/js/number-parsing-crash.html (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/js/number-parsing-crash.html                                (rev 0)
+++ trunk/LayoutTests/fast/js/number-parsing-crash.html        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML//EN&quot;&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;link rel=&quot;stylesheet&quot; href=&quot;resources/js-test-style.css&quot;&gt;
+&lt;script src=&quot;resources/js-test-pre.js&quot;&gt;&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;p id=&quot;description&quot;&gt;&lt;/p&gt;
+&lt;div id=&quot;console&quot;&gt;&lt;/div&gt;
+&lt;script src=&quot;resources/number-parsing-crash.js&quot;&gt;&lt;/script&gt;
+&lt;script src=&quot;resources/js-test-post.js&quot;&gt;&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsfastjsresourcesnumberparsingcrashjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/js/resources/number-parsing-crash.js (0 => 45696)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/js/resources/number-parsing-crash.js                                (rev 0)
+++ trunk/LayoutTests/fast/js/resources/number-parsing-crash.js        2009-07-10 03:45:23 UTC (rev 45696)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+description(
+&quot;This tests edge cases of number parsing.&quot;
+);
+
+var x = 
 11111111111111111111111111111111111111111111;
+
+shouldBe(&quot;x.toString()&quot;, &quot;0.1111111111111111&quot;);
+var successfullyParsed = true;
</ins></span></pre>
</div>
</div>

</body>
</html>