<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[177284] trunk/Source</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/177284">177284</a></dd>
<dt>Author</dt> <dd>oliver@apple.com</dd>
<dt>Date</dt> <dd>2014-12-15 10:04:58 -0800 (Mon, 15 Dec 2014)</dd>
</dl>

<h3>Log Message</h3>
<pre>Make sure range based iteration of Vector&lt;&gt; still receives bounds checking
https://bugs.webkit.org/show_bug.cgi?id=138821

Reviewed by Mark Lam.

Source/JavaScriptCore:

Update code to deal with slightly changed iterator semantics.

* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildren):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitComplexPopScopes):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLAbbreviations.h:
(JSC::FTL::mdNode):
(JSC::FTL::buildCall):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* parser/Parser.h:
(JSC::Scope::Scope):
* runtime/JSArray.cpp:
(JSC::JSArray::setLengthWithArrayStorage):
(JSC::JSArray::sortCompactedVector):
* tools/ProfileTreeNode.h:
(JSC::ProfileTreeNode::dumpInternal):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::matchCharacterClass):

Source/WebCore:

Update to deal with different iterator type.

* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserializeString):
* editing/TextIterator.cpp:
(WebCore::SearchBuffer::isBadMatch):
* page/mac/ServicesOverlayController.mm:
(WebCore::ServicesOverlayController::buildSelectionHighlight):
* platform/graphics/SegmentedFontData.cpp:
(WebCore::SegmentedFontData::fontDataForCharacter):
(WebCore::SegmentedFontData::containsCharacter):
(WebCore::SegmentedFontData::isLoading):
* platform/graphics/WOFFFileFormat.cpp:
(WebCore::convertWOFFToSfnt):
* platform/graphics/cairo/GradientCairo.cpp:
(WebCore::Gradient::platformGradient):
* platform/image-decoders/gif/GIFImageDecoder.cpp:
(WebCore::GIFImageDecoder::clearFrameBufferCache):
* rendering/RenderBox.cpp:
(WebCore::RenderBox::paintFillLayers):
* rendering/style/GridResolvedPosition.cpp:
(WebCore::firstNamedGridLineBeforePosition):
(WebCore::GridResolvedPosition::resolveRowEndColumnEndNamedGridLinePositionAgainstOppositePosition):
* svg/SVGFontElement.cpp:
(WebCore::kerningForPairOfStringsAndGlyphs):
* svg/SVGPathByteStream.h:
(WebCore::SVGPathByteStream::append):
* xml/XPathNodeSet.h:
(WebCore::XPath::NodeSet::begin):
(WebCore::XPath::NodeSet::end):

Source/WTF:

Add a new IndexedIterator struct to WTF that wraps a
Vector type and index to provide pointer like semantics
while still performing runtime bounds checking, even in
release builds. We store a simple index into the vector
which means that this iterator allows vector resizing
during iteration. If the vector is resized such that the
iterator is out of bounds, then any attempt to dereference
the iterator will crash safely.

For the purpose of retaining semantically equivalent
behaviour, the iterator can be moved to m_index == size()
as that is the standard &quot;end&quot; terminator for these types.
Attempting to dereference at that point will still crash
rather than perform an unsafe memory operation.

By necessity there are many overrides for operator + and - as
we otherwise hit many different type promotion ambiguities when
performing arithmetic with iterators. These ambiguities are also
different for 32- vs. 64-bit, so duplicating the functions
and then forwarding to the core implementations that performed
the bounds checking and mutation seemed like the right call.

* WTF.vcxproj/WTF.vcxproj:
* WTF.vcxproj/WTF.vcxproj.filters:
* WTF.xcodeproj/project.pbxproj:
* wtf/IndexedIterator.h: Added.
(WTF::IndexedIterator::IndexedIterator):
(WTF::IndexedIterator::operator-&gt;):
(WTF::IndexedIterator::operator*):
(WTF::IndexedIterator::get):
(WTF::IndexedIterator::operator++):
(WTF::IndexedIterator::operator--):
(WTF::IndexedIterator::operator UnspecifiedBoolType):
(WTF::IndexedIterator::operator-):
(WTF::IndexedIterator::operator=):
(WTF::IndexedIterator::operator==):
(WTF::IndexedIterator::operator!=):
(WTF::IndexedIterator::operator&lt;):
(WTF::IndexedIterator::operator&lt;=):
(WTF::IndexedIterator::operator&gt;):
(WTF::IndexedIterator::operator&gt;=):
(WTF::IndexedIterator::operator const_iterator):
(WTF::IndexedIterator::unsafeGet):
(WTF::getPtr):
(WTF::operator-):
(WTF::operator==):
(WTF::operator!=):
(WTF::operator&lt;=):
(WTF::operator&gt;=):
(WTF::operator&lt;):
(WTF::operator&gt;):
(WTF::IndexedIteratorSelector::makeIterator):
(WTF::IndexedIteratorSelector::makeConstIterator):
* wtf/RefCountedArray.h:
(WTF::RefCountedArray::RefCountedArray):
* wtf/Vector.h:
(WTF::Vector::Vector):
(WTF::Vector::begin):
(WTF::Vector::end):
(WTF::OverflowHandler&gt;::Vector):
(WTF::=):
(WTF::OverflowHandler&gt;::fill):
(WTF::OverflowHandler&gt;::expandCapacity):
(WTF::OverflowHandler&gt;::tryExpandCapacity):
(WTF::OverflowHandler&gt;::resize):
(WTF::OverflowHandler&gt;::shrink):
(WTF::OverflowHandler&gt;::grow):
(WTF::OverflowHandler&gt;::reserveCapacity):
(WTF::OverflowHandler&gt;::tryReserveCapacity):
(WTF::OverflowHandler&gt;::shrinkCapacity):
(WTF::OverflowHandler&gt;::append):
(WTF::OverflowHandler&gt;::tryAppend):
(WTF::OverflowHandler&gt;::appendSlowCase):
(WTF::OverflowHandler&gt;::uncheckedAppend):
(WTF::OverflowHandler&gt;::appendVector):
(WTF::OverflowHandler&gt;::insert):
(WTF::OverflowHandler&gt;::insertVector):
(WTF::OverflowHandler&gt;::remove):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbbreviationsh">trunk/Source/JavaScriptCore/ftl/FTLAbbreviations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntDatacpp">trunk/Source/JavaScriptCore/llint/LLIntData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserParserh">trunk/Source/JavaScriptCore/parser/Parser.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArraycpp">trunk/Source/JavaScriptCore/runtime/JSArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretoolsProfileTreeNodeh">trunk/Source/JavaScriptCore/tools/ProfileTreeNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreyarrYarrJITcpp">trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp</a></li>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFWTFvcxprojWTFvcxproj">trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj</a></li>
<li><a href="#trunkSourceWTFWTFvcxprojWTFvcxprojfilters">trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj.filters</a></li>
<li><a href="#trunkSourceWTFWTFxcodeprojprojectpbxproj">trunk/Source/WTF/WTF.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWTFwtfRefCountedArrayh">trunk/Source/WTF/wtf/RefCountedArray.h</a></li>
<li><a href="#trunkSourceWTFwtfVectorh">trunk/Source/WTF/wtf/Vector.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsSerializedScriptValuecpp">trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp</a></li>
<li><a href="#trunkSourceWebCoreeditingTextIteratorcpp">trunk/Source/WebCore/editing/TextIterator.cpp</a></li>
<li><a href="#trunkSourceWebCorepagemacServicesOverlayControllermm">trunk/Source/WebCore/page/mac/ServicesOverlayController.mm</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsSegmentedFontDatacpp">trunk/Source/WebCore/platform/graphics/SegmentedFontData.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsWOFFFileFormatcpp">trunk/Source/WebCore/platform/graphics/WOFFFileFormat.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicscairoGradientCairocpp">trunk/Source/WebCore/platform/graphics/cairo/GradientCairo.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformimagedecodersgifGIFImageDecodercpp">trunk/Source/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderBoxcpp">trunk/Source/WebCore/rendering/RenderBox.cpp</a></li>
<li><a href="#trunkSourceWebCorerenderingstyleGridResolvedPositioncpp">trunk/Source/WebCore/rendering/style/GridResolvedPosition.cpp</a></li>
<li><a href="#trunkSourceWebCoresvgSVGFontElementcpp">trunk/Source/WebCore/svg/SVGFontElement.cpp</a></li>
<li><a href="#trunkSourceWebCoresvgSVGPathByteStreamh">trunk/Source/WebCore/svg/SVGPathByteStream.h</a></li>
<li><a href="#trunkSourceWebCorexmlXPathNodeSeth">trunk/Source/WebCore/xml/XPathNodeSet.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceWTFwtfIndexedIteratorh">trunk/Source/WTF/wtf/IndexedIterator.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/ChangeLog        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2014-12-15  Oliver Hunt  &lt;oliver@apple.com&gt;
+
+        Make sure range based iteration of Vector&lt;&gt; still receives bounds checking
+        https://bugs.webkit.org/show_bug.cgi?id=138821
+
+        Reviewed by Mark Lam.
+
+        Update code to deal with slightly changed iterator semantics.
+
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::visitChildren):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitComplexPopScopes):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        * ftl/FTLAbbreviations.h:
+        (JSC::FTL::mdNode):
+        (JSC::FTL::buildCall):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * parser/Parser.h:
+        (JSC::Scope::Scope):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLengthWithArrayStorage):
+        (JSC::JSArray::sortCompactedVector):
+        * tools/ProfileTreeNode.h:
+        (JSC::ProfileTreeNode::dumpInternal):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::matchCharacterClass):
+
</ins><span class="cx"> 2014-12-14  Filip Pizlo  &lt;fpizlo@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         PutLocalSinkingPhase has an invalid assertion about incoming values, because both liveness and deferral analyses are conservative
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -229,9 +229,9 @@
</span><span class="cx">     Base::visitChildren(thisObject, visitor);
</span><span class="cx">     visitor.append(&amp;thisObject-&gt;m_symbolTable);
</span><span class="cx">     for (FunctionExpressionVector::iterator ptr = thisObject-&gt;m_functionDecls.begin(), end = thisObject-&gt;m_functionDecls.end(); ptr != end; ++ptr)
</span><del>-        visitor.append(ptr);
</del><ins>+        visitor.append(WTF::getPtr(ptr));
</ins><span class="cx">     for (FunctionExpressionVector::iterator ptr = thisObject-&gt;m_functionExprs.begin(), end = thisObject-&gt;m_functionExprs.end(); ptr != end; ++ptr)
</span><del>-        visitor.append(ptr);
</del><ins>+        visitor.append(WTF::getPtr(ptr));
</ins><span class="cx">     visitor.appendValues(thisObject-&gt;m_constantRegisters.data(), thisObject-&gt;m_constantRegisters.size());
</span><span class="cx">     if (thisObject-&gt;m_rareData) {
</span><span class="cx">         for (size_t i = 0, end = thisObject-&gt;m_rareData-&gt;m_regexps.size(); i != end; i++)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -2283,8 +2283,8 @@
</span><span class="cx">             int topScopeIndex = -1;
</span><span class="cx">             int bottomScopeIndex = -1;
</span><span class="cx">             if (flipScopes) {
</span><del>-                topScopeIndex = topScope - m_scopeContextStack.begin();
-                bottomScopeIndex = bottomScope - m_scopeContextStack.begin();
</del><ins>+                topScopeIndex = topScope - m_scopeContextStack.data();
+                bottomScopeIndex = bottomScope - m_scopeContextStack.data();
</ins><span class="cx">                 savedScopeContextStack = m_scopeContextStack;
</span><span class="cx">                 m_scopeContextStack.shrink(finallyContext.scopeContextStackSize);
</span><span class="cx">             }
</span><span class="lines">@@ -2328,7 +2328,7 @@
</span><span class="cx">             if (flipScopes) {
</span><span class="cx">                 m_scopeContextStack = savedScopeContextStack;
</span><span class="cx">                 topScope = &amp;m_scopeContextStack[topScopeIndex]; // assert it's within bounds
</span><del>-                bottomScope = m_scopeContextStack.begin() + bottomScopeIndex; // don't assert, since it the index might be -1.
</del><ins>+                bottomScope = m_scopeContextStack.data() + bottomScopeIndex; // don't assert, since it the index might be -1.
</ins><span class="cx">             }
</span><span class="cx">             if (flipSwitches)
</span><span class="cx">                 m_switchContextStack = savedSwitchContextStack;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -4910,7 +4910,7 @@
</span><span class="cx">     addBranch(
</span><span class="cx">         m_jit.branch32(JITCompiler::AboveOrEqual, value, Imm32(table.ctiOffsets.size())),
</span><span class="cx">         data-&gt;fallThrough.block);
</span><del>-    m_jit.move(TrustedImmPtr(table.ctiOffsets.begin()), scratch);
</del><ins>+    m_jit.move(TrustedImmPtr(table.ctiOffsets.data()), scratch);
</ins><span class="cx">     m_jit.loadPtr(JITCompiler::BaseIndex(scratch, value, JITCompiler::timesPtr()), scratch);
</span><span class="cx">     m_jit.jump(scratch);
</span><span class="cx">     data-&gt;didUseJumpTable = true;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbbreviationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbbreviations.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbbreviations.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbbreviations.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -120,7 +120,7 @@
</span><span class="cx"> static inline LValue mdString(LContext context, const char* string) { return mdString(context, string, std::strlen(string)); }
</span><span class="cx"> static inline LValue mdNode(LContext context, LValue* args, unsigned numArgs) { return llvm-&gt;MDNodeInContext(context, args, numArgs); }
</span><span class="cx"> template&lt;typename VectorType&gt;
</span><del>-static inline LValue mdNode(LContext context, const VectorType&amp; vector) { return mdNode(context, const_cast&lt;LValue*&gt;(vector.begin()), vector.size()); }
</del><ins>+static inline LValue mdNode(LContext context, const VectorType&amp; vector) { return mdNode(context, const_cast&lt;LValue*&gt;(vector.data()), vector.size()); }
</ins><span class="cx"> static inline LValue mdNode(LContext context) { return mdNode(context, 0, 0); }
</span><span class="cx"> static inline LValue mdNode(LContext context, LValue arg1) { return mdNode(context, &amp;arg1, 1); }
</span><span class="cx"> static inline LValue mdNode(LContext context, LValue arg1, LValue arg2)
</span><span class="lines">@@ -288,7 +288,7 @@
</span><span class="cx"> template&lt;typename VectorType&gt;
</span><span class="cx"> inline LValue buildCall(LBuilder builder, LValue function, const VectorType&amp; vector)
</span><span class="cx"> {
</span><del>-    return buildCall(builder, function, vector.begin(), vector.size());
</del><ins>+    return buildCall(builder, function, vector.data(), vector.size());
</ins><span class="cx"> }
</span><span class="cx"> static inline LValue buildCall(LBuilder builder, LValue function)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntData.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntData.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/llint/LLIntData.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -161,7 +161,7 @@
</span><span class="cx">     Vector&lt;int&gt; testVector;
</span><span class="cx">     testVector.resize(42);
</span><span class="cx">     ASSERT(bitwise_cast&lt;uint32_t*&gt;(&amp;testVector)[sizeof(void*)/sizeof(uint32_t) + 1] == 42);
</span><del>-    ASSERT(bitwise_cast&lt;int**&gt;(&amp;testVector)[0] == testVector.begin());
</del><ins>+    ASSERT(bitwise_cast&lt;int**&gt;(&amp;testVector)[0] == testVector.data());
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">     ASSERT(StringImpl::s_hashFlag8BitBuffer == 32);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserParserh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Parser.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Parser.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/parser/Parser.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -130,10 +130,8 @@
</span><span class="cx">         if (rhs.m_labels) {
</span><span class="cx">             m_labels = std::make_unique&lt;LabelStack&gt;();
</span><span class="cx"> 
</span><del>-            typedef LabelStack::const_iterator iterator;
-            iterator end = rhs.m_labels-&gt;end();
-            for (iterator it = rhs.m_labels-&gt;begin(); it != end; ++it)
-                m_labels-&gt;append(ScopeLabelInfo(it-&gt;m_ident, it-&gt;m_isLoop));
</del><ins>+            for (auto label : *rhs.m_labels)
+                m_labels-&gt;append(ScopeLabelInfo(label.m_ident, label.m_isLoop));
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -351,7 +351,7 @@
</span><span class="cx">             // properties, so we have to perform deletion with caution, if not we can
</span><span class="cx">             // delete values in any order.
</span><span class="cx">             if (map-&gt;sparseMode()) {
</span><del>-                qsort(keys.begin(), keys.size(), sizeof(unsigned), compareKeysForQSort);
</del><ins>+                qsort(keys.data(), keys.size(), sizeof(unsigned), compareKeysForQSort);
</ins><span class="cx">                 unsigned i = keys.size();
</span><span class="cx">                 while (i) {
</span><span class="cx">                     unsigned index = keys[--i];
</span><span class="lines">@@ -1190,13 +1190,13 @@
</span><span class="cx">         
</span><span class="cx"> #if HAVE(MERGESORT)
</span><span class="cx">     if (isSortingPrimitiveValues)
</span><del>-        qsort(values.begin(), values.size(), sizeof(ValueStringPair), compareByStringPairForQSort);
</del><ins>+        qsort(values.data(), values.size(), sizeof(ValueStringPair), compareByStringPairForQSort);
</ins><span class="cx">     else
</span><del>-        mergesort(values.begin(), values.size(), sizeof(ValueStringPair), compareByStringPairForQSort);
</del><ins>+        mergesort(values.data(), values.size(), sizeof(ValueStringPair), compareByStringPairForQSort);
</ins><span class="cx"> #else
</span><span class="cx">     // FIXME: The qsort library function is likely to not be a stable sort.
</span><span class="cx">     // ECMAScript-262 does not specify a stable sort, but in practice, browsers perform a stable sort.
</span><del>-    qsort(values.begin(), values.size(), sizeof(ValueStringPair), compareByStringPairForQSort);
</del><ins>+    qsort(values.data(), values.size(), sizeof(ValueStringPair), compareByStringPairForQSort);
</ins><span class="cx"> #endif
</span><span class="cx">     
</span><span class="cx">     // If the toString function changed the length of the array or vector storage,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretoolsProfileTreeNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tools/ProfileTreeNode.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tools/ProfileTreeNode.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/tools/ProfileTreeNode.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -86,7 +86,7 @@
</span><span class="cx">         Vector&lt;MapEntry*&gt; entries;
</span><span class="cx">         for (Map::iterator it = m_children-&gt;begin(); it != m_children-&gt;end(); ++it)
</span><span class="cx">             entries.append(&amp;*it);
</span><del>-        qsort(entries.begin(), entries.size(), sizeof(MapEntry*), compareEntries);
</del><ins>+        qsort(entries.data(), entries.size(), sizeof(MapEntry*), compareEntries);
</ins><span class="cx"> 
</span><span class="cx">         // Iterate over the children in sample-frequency order.
</span><span class="cx">         for (size_t e = 0; e &lt; entries.size(); ++e) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreyarrYarrJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -223,7 +223,7 @@
</span><span class="cx">         if (charClass-&gt;m_ranges.size()) {
</span><span class="cx">             unsigned matchIndex = 0;
</span><span class="cx">             JumpList failures;
</span><del>-            matchCharacterClassRange(character, failures, matchDest, charClass-&gt;m_ranges.begin(), charClass-&gt;m_ranges.size(), &amp;matchIndex, charClass-&gt;m_matches.begin(), charClass-&gt;m_matches.size());
</del><ins>+            matchCharacterClassRange(character, failures, matchDest, charClass-&gt;m_ranges.data(), charClass-&gt;m_ranges.size(), &amp;matchIndex, charClass-&gt;m_matches.data(), charClass-&gt;m_matches.size());
</ins><span class="cx">             while (matchIndex &lt; charClass-&gt;m_matches.size())
</span><span class="cx">                 matchDest.append(branch32(Equal, character, Imm32((unsigned short)charClass-&gt;m_matches[matchIndex++])));
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WTF/ChangeLog        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -1,3 +1,89 @@
</span><ins>+2014-12-15  Oliver Hunt  &lt;oliver@apple.com&gt;
+
+        Make sure range based iteration of Vector&lt;&gt; still receives bounds checking
+        https://bugs.webkit.org/show_bug.cgi?id=138821
+
+        Reviewed by Mark Lam.
+
+        Add a new IndexedIterator struct to WTF that wraps a
+        Vector type and index to provide pointer like semantics
+        while still performing runtime bounds checking, even in
+        release builds. We store a simple index into the vector
+        which means that this iterator allows vector resizing
+        during iteration. If the vector is resized such that the
+        iterator is out of bounds, then any attempt to dereference
+        the iterator will crash safely.
+
+        For the purpose of retaining semantically equivalent
+        behaviour, the iterator can be moved to m_index == size()
+        as that is the standard &quot;end&quot; terminator for these types.
+        Attempting to dereference at that point will still crash
+        rather than perform an unsafe memory operation.
+
+        By necessity there are many overrides for operator + and - as
+        we otherwise hit many different type promotion ambiguities when
+        performing arithmetic with iterators. These ambiguities are also
+        different for 32- vs. 64-bit, so duplicating the functions
+        and then forwarding to the core implementations that performed
+        the bounds checking and mutation seemed like the right call.
+
+        * WTF.vcxproj/WTF.vcxproj:
+        * WTF.vcxproj/WTF.vcxproj.filters:
+        * WTF.xcodeproj/project.pbxproj:
+        * wtf/IndexedIterator.h: Added.
+        (WTF::IndexedIterator::IndexedIterator):
+        (WTF::IndexedIterator::operator-&gt;):
+        (WTF::IndexedIterator::operator*):
+        (WTF::IndexedIterator::get):
+        (WTF::IndexedIterator::operator++):
+        (WTF::IndexedIterator::operator--):
+        (WTF::IndexedIterator::operator UnspecifiedBoolType):
+        (WTF::IndexedIterator::operator-):
+        (WTF::IndexedIterator::operator=):
+        (WTF::IndexedIterator::operator==):
+        (WTF::IndexedIterator::operator!=):
+        (WTF::IndexedIterator::operator&lt;):
+        (WTF::IndexedIterator::operator&lt;=):
+        (WTF::IndexedIterator::operator&gt;):
+        (WTF::IndexedIterator::operator&gt;=):
+        (WTF::IndexedIterator::operator const_iterator):
+        (WTF::IndexedIterator::unsafeGet):
+        (WTF::getPtr):
+        (WTF::operator-):
+        (WTF::operator==):
+        (WTF::operator!=):
+        (WTF::operator&lt;=):
+        (WTF::operator&gt;=):
+        (WTF::operator&lt;):
+        (WTF::operator&gt;):
+        (WTF::IndexedIteratorSelector::makeIterator):
+        (WTF::IndexedIteratorSelector::makeConstIterator):
+        * wtf/RefCountedArray.h:
+        (WTF::RefCountedArray::RefCountedArray):
+        * wtf/Vector.h:
+        (WTF::Vector::Vector):
+        (WTF::Vector::begin):
+        (WTF::Vector::end):
+        (WTF::OverflowHandler&gt;::Vector):
+        (WTF::=):
+        (WTF::OverflowHandler&gt;::fill):
+        (WTF::OverflowHandler&gt;::expandCapacity):
+        (WTF::OverflowHandler&gt;::tryExpandCapacity):
+        (WTF::OverflowHandler&gt;::resize):
+        (WTF::OverflowHandler&gt;::shrink):
+        (WTF::OverflowHandler&gt;::grow):
+        (WTF::OverflowHandler&gt;::reserveCapacity):
+        (WTF::OverflowHandler&gt;::tryReserveCapacity):
+        (WTF::OverflowHandler&gt;::shrinkCapacity):
+        (WTF::OverflowHandler&gt;::append):
+        (WTF::OverflowHandler&gt;::tryAppend):
+        (WTF::OverflowHandler&gt;::appendSlowCase):
+        (WTF::OverflowHandler&gt;::uncheckedAppend):
+        (WTF::OverflowHandler&gt;::appendVector):
+        (WTF::OverflowHandler&gt;::insert):
+        (WTF::OverflowHandler&gt;::insertVector):
+        (WTF::OverflowHandler&gt;::remove):
+
</ins><span class="cx"> 2014-12-14  Andreas Kling  &lt;akling@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Minor follow-up tweaks suggested by Darin on bug 139587.
</span></span></pre></div>
<a id="trunkSourceWTFWTFvcxprojWTFvcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -221,6 +221,7 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\HashTable.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\HashTraits.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\HexNumber.h&quot; /&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\wtf\IndexedIterator.h&quot; /&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\IteratorAdaptors.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\IteratorRange.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\ListHashSet.h&quot; /&gt;
</span></span></pre></div>
<a id="trunkSourceWTFWTFvcxprojWTFvcxprojfilters"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj.filters (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj.filters        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WTF/WTF.vcxproj/WTF.vcxproj.filters        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -470,6 +470,9 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\HexNumber.h&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;wtf&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClInclude&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\wtf\IndexedIterator.h&quot;&gt;
+      &lt;Filter&gt;wtf&lt;/Filter&gt;
+    &lt;/ClInclude&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\wtf\IteratorAdaptors.h&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;wtf&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClInclude&gt;
</span></span></pre></div>
<a id="trunkSourceWTFWTFxcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/WTF.xcodeproj/project.pbxproj (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/WTF.xcodeproj/project.pbxproj        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WTF/WTF.xcodeproj/project.pbxproj        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -100,6 +100,7 @@
</span><span class="cx">                 A748745217A0BDAE00FA04CB /* SixCharacterHash.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A748744F17A0BDAE00FA04CB /* SixCharacterHash.cpp */; };
</span><span class="cx">                 A748745317A0BDAE00FA04CB /* SixCharacterHash.h in Headers */ = {isa = PBXBuildFile; fileRef = A748745017A0BDAE00FA04CB /* SixCharacterHash.h */; };
</span><span class="cx">                 A748745417A0BDAE00FA04CB /* StringHashDumpContext.h in Headers */ = {isa = PBXBuildFile; fileRef = A748745117A0BDAE00FA04CB /* StringHashDumpContext.h */; };
</span><ins>+                A7DC2F041A09A22D0072F4E3 /* IndexedIterator.h in Headers */ = {isa = PBXBuildFile; fileRef = A7DC2F031A099DE30072F4E3 /* IndexedIterator.h */; };
</ins><span class="cx">                 A7E643C617C5423B003BB16B /* Compression.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7E643C417C5423B003BB16B /* Compression.cpp */; };
</span><span class="cx">                 A7E643C717C5423B003BB16B /* Compression.h in Headers */ = {isa = PBXBuildFile; fileRef = A7E643C517C5423B003BB16B /* Compression.h */; };
</span><span class="cx">                 A876DBD8151816E500DADB95 /* Platform.h in Headers */ = {isa = PBXBuildFile; fileRef = A876DBD7151816E500DADB95 /* Platform.h */; };
</span><span class="lines">@@ -393,6 +394,7 @@
</span><span class="cx">                 A748744F17A0BDAE00FA04CB /* SixCharacterHash.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SixCharacterHash.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 A748745017A0BDAE00FA04CB /* SixCharacterHash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SixCharacterHash.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 A748745117A0BDAE00FA04CB /* StringHashDumpContext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StringHashDumpContext.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><ins>+                A7DC2F031A099DE30072F4E3 /* IndexedIterator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IndexedIterator.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</ins><span class="cx">                 A7E643C417C5423B003BB16B /* Compression.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Compression.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 A7E643C517C5423B003BB16B /* Compression.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Compression.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 A876DBD7151816E500DADB95 /* Platform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Platform.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -898,6 +900,7 @@
</span><span class="cx">                                 974CFC8D16A4F327006D5404 /* WeakPtr.h */,
</span><span class="cx">                                 A8A4737A151A825B004123FF /* WTFThreadData.cpp */,
</span><span class="cx">                                 A8A4737B151A825B004123FF /* WTFThreadData.h */,
</span><ins>+                                A7DC2F031A099DE30072F4E3 /* IndexedIterator.h */,
</ins><span class="cx">                         );
</span><span class="cx">                         path = wtf;
</span><span class="cx">                         sourceTree = &quot;&lt;group&gt;&quot;;
</span><span class="lines">@@ -1071,6 +1074,7 @@
</span><span class="cx">                                 A8A473AD151A825B004123FF /* cached-powers.h in Headers */,
</span><span class="cx">                                 A8A4745E151A825B004123FF /* CharacterNames.h in Headers */,
</span><span class="cx">                                 A8A47394151A825B004123FF /* CheckedArithmetic.h in Headers */,
</span><ins>+                                A7DC2F041A09A22D0072F4E3 /* IndexedIterator.h in Headers */,
</ins><span class="cx">                                 A8A47395151A825B004123FF /* CheckedBoolean.h in Headers */,
</span><span class="cx">                                 A8A4745F151A825B004123FF /* Collator.h in Headers */,
</span><span class="cx">                                 0FC4EDE61696149600F65041 /* CommaPrinter.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceWTFwtfIndexedIteratorh"></a>
<div class="addfile"><h4>Added: trunk/Source/WTF/wtf/IndexedIterator.h (0 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/IndexedIterator.h                                (rev 0)
+++ trunk/Source/WTF/wtf/IndexedIterator.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -0,0 +1,358 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef WTF_IndexedIterator_h
+#define WTF_IndexedIterator_h
+
+namespace WTF {
+
+#define INDEXED_ITERATOR_OVERFLOW(check) do {\
+    if (!(check))\
+        OverflowHandler::overflowed();\
+} while (0)
+
+template &lt;typename VectorType, typename T, typename OverflowHandler = CrashOnOverflow&gt; struct IndexedIterator {
+    typedef struct IndexedIterator&lt;const VectorType, const T, OverflowHandler&gt; const_iterator;
+
+    typedef T ValueType;
+    typedef ptrdiff_t difference_type;
+    typedef ValueType value_type;
+    typedef ValueType* pointer;
+    typedef ValueType&amp; reference;
+    typedef std::bidirectional_iterator_tag iterator_category;
+
+    IndexedIterator()
+        : m_vector(nullptr)
+        , m_position(0)
+    {
+    }
+
+    IndexedIterator(VectorType&amp; vector, ValueType* position)
+        : m_vector(&amp;vector)
+        , m_position(position - vector.data())
+    {
+    }
+
+    IndexedIterator(const IndexedIterator&amp; other)
+        : m_vector(other.m_vector)
+        , m_position(other.m_position)
+    {
+    }
+
+    ValueType* operator-&gt;() const { return &amp;m_vector-&gt;at(m_position); }
+    ValueType&amp; operator*() const { return m_vector-&gt;at(m_position); }
+    ValueType* get() const
+    {
+        if (!m_vector)
+            return nullptr;
+        INDEXED_ITERATOR_OVERFLOW(m_position &lt;= m_vector-&gt;size());
+        return m_vector-&gt;data() + m_position;
+    }
+
+    IndexedIterator&amp; operator++()
+    {
+        m_position++;
+        return *this;
+    }
+
+    IndexedIterator operator++(int)
+    {
+        IndexedIterator result(*this);
+        m_position++;
+        return result;
+    }
+
+    IndexedIterator&amp; operator--()
+    {
+        m_position--;
+        return *this;
+    }
+
+    IndexedIterator operator--(int)
+    {
+        IndexedIterator result(*this);
+        m_position--;
+        return result;
+    }
+
+    // This conversion operator allows implicit conversion to bool but not to other integer types.
+    typedef size_t (IndexedIterator::*UnspecifiedBoolType);
+    operator UnspecifiedBoolType() const { return m_vector ? &amp;IndexedIterator::m_position : nullptr; }
+
+#if __SIZEOF_SIZE_T__ != __SIZEOF_INT__ || PLATFORM(COCOA)
+#define _UNSIGNED_If_DIFFERENT(macro) macro(unsigned)
+#else
+#define _UNSIGNED_If_DIFFERENT(macro)
+#endif
+
+#define FOR_EACH_INTEGER_TYPE(macro) \
+    macro(size_t) \
+    macro(int32_t) \
+    macro(long) \
+    macro(long long) \
+    macro(unsigned long long) \
+    _UNSIGNED_If_DIFFERENT(macro)
+
+#define MODIFIER_OPS(type) \
+    IndexedIterator&amp; operator+=(type increment) \
+    { \
+        m_position += increment; \
+        return *this; \
+    } \
+\
+    IndexedIterator&amp; operator-=(type decrement) \
+    { \
+        m_position -= decrement; \
+        return *this; \
+    }
+
+    FOR_EACH_INTEGER_TYPE(MODIFIER_OPS)
+
+#undef MODIFIER_OPS
+
+#define ARITHMETIC_OPS(type) \
+    IndexedIterator operator+(type increment) const \
+    { \
+        IndexedIterator result(*this); \
+        result.m_position += increment; \
+        return result; \
+    } \
+\
+    IndexedIterator operator-(type decrement) const \
+    { \
+        IndexedIterator result(*this); \
+        result.m_position -= decrement; \
+        return result; \
+    }
+
+
+    FOR_EACH_INTEGER_TYPE(ARITHMETIC_OPS)
+
+#undef ARITHMETIC_OPS
+
+    ptrdiff_t operator-(const const_iterator&amp; right) const
+    {
+        return m_position - right.m_position;
+    }
+
+    ptrdiff_t operator-(const ValueType* right) const
+    {
+        return get() - right;
+    }
+
+    void operator=(const IndexedIterator&amp; other)
+    {
+        m_vector = other.m_vector;
+        m_position = other.m_position;
+    }
+
+    bool operator==(const const_iterator&amp; other) const
+    {
+        return unsafeGet() == other.unsafeGet();
+    }
+
+    bool operator!=(const const_iterator&amp; other) const
+    {
+        return unsafeGet() != other.unsafeGet();
+    }
+
+    bool operator==(const ValueType* other) const
+    {
+        return unsafeGet() == other;
+    }
+
+    bool operator!=(const ValueType* other) const
+    {
+        return unsafeGet() != other;
+    }
+
+    bool operator&lt;(const ValueType* other) const
+    {
+        return unsafeGet() &lt; other;
+    }
+
+    bool operator&lt;=(const ValueType* other) const
+    {
+        return unsafeGet() &lt;= other;
+    }
+
+    bool operator&lt;(const const_iterator&amp; other) const
+    {
+        return unsafeGet() &lt; other.unsafeGet();
+    }
+
+    bool operator&lt;=(const const_iterator&amp; other) const
+    {
+        return unsafeGet() &lt;= other.unsafeGet();
+    }
+
+    bool operator&gt;(const IndexedIterator&amp; other) const
+    {
+        return unsafeGet() &gt; other.unsafeGet();
+    }
+
+    bool operator&gt;=(const const_iterator&amp; other) const
+    {
+        return unsafeGet() &gt;= other.unsafeGet();
+    }
+
+    bool operator&gt;(const ValueType* other) const
+    {
+        return unsafeGet() &gt; other;
+    }
+
+    bool operator&gt;=(const ValueType* other) const
+    {
+        return unsafeGet() &gt;= other;
+    }
+
+    operator const_iterator() const
+    {
+        const_iterator result;
+        result.m_vector = m_vector;
+        result.m_position = m_position;
+        return result;
+    }
+
+    VectorType* m_vector;
+    size_t m_position;
+
+    ValueType* unsafeGet() const
+    {
+        if (!m_vector)
+            return nullptr;
+        return get();
+    }
+};
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline typename IndexedIterator&lt;T, ValueType, OverflowHandler&gt;::ValueType* getPtr(IndexedIterator&lt;T, ValueType, OverflowHandler&gt; p)
+{
+    return p.get();
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline ptrdiff_t operator-(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return left - right.get();
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline ptrdiff_t operator-(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return left - right.get();
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline ptrdiff_t operator-(const ValueType* left, const IndexedIterator&lt;const T, const ValueType, OverflowHandler&gt;&amp; right)
+{
+    return left - right.get();
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator==(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right == left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator==(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right == left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator!=(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right != left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator!=(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right != left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&lt;=(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &gt;= left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&lt;=(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &gt;= left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&gt;=(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &lt;= left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&gt;=(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &lt;= left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&lt;(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &gt; left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&lt;(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &gt; left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&gt;(ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &lt; left;
+}
+
+template &lt;typename T, typename ValueType, typename OverflowHandler&gt;
+inline bool operator&gt;(const ValueType* left, const IndexedIterator&lt;T, ValueType, OverflowHandler&gt;&amp; right)
+{
+    return right &lt; left;
+}
+
+template &lt;typename VectorType, typename OverflowHandler&gt; struct IndexedIteratorSelector {
+    typedef typename VectorType::ValueType ValueType;
+    typedef IndexedIterator&lt;VectorType, ValueType, OverflowHandler&gt; iterator;
+    typedef typename iterator::const_iterator const_iterator;
+    static iterator makeIterator(VectorType&amp; vector, ValueType* p) { return iterator(vector, p); }
+    static const_iterator makeConstIterator(const VectorType&amp; vector, const ValueType* p) { return const_iterator(vector, p); }
+};
+
+#undef INDEXED_ITERATOR_OVERFLOW
+
+}
+
+#endif
</ins></span></pre></div>
<a id="trunkSourceWTFwtfRefCountedArrayh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/RefCountedArray.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/RefCountedArray.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WTF/wtf/RefCountedArray.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">         Header::fromPayload(m_data)-&gt;refCount = 1;
</span><span class="cx">         Header::fromPayload(m_data)-&gt;length = other.size();
</span><span class="cx">         ASSERT(Header::fromPayload(m_data)-&gt;length == other.size());
</span><del>-        VectorTypeOperations&lt;T&gt;::uninitializedCopy(other.begin(), other.end(), m_data);
</del><ins>+        VectorTypeOperations&lt;T&gt;::uninitializedCopy(getPtr(other.begin()), getPtr(other.end()), m_data);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     RefCountedArray&amp; operator=(const RefCountedArray&amp; other)
</span></span></pre></div>
<a id="trunkSourceWTFwtfVectorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/Vector.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/Vector.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WTF/wtf/Vector.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -28,6 +28,8 @@
</span><span class="cx"> #include &lt;utility&gt;
</span><span class="cx"> #include &lt;wtf/CheckedArithmetic.h&gt;
</span><span class="cx"> #include &lt;wtf/FastMalloc.h&gt;
</span><ins>+#include &lt;wtf/GetPtr.h&gt;
+#include &lt;wtf/IndexedIterator.h&gt;
</ins><span class="cx"> #include &lt;wtf/MallocPtr.h&gt;
</span><span class="cx"> #include &lt;wtf/Noncopyable.h&gt;
</span><span class="cx"> #include &lt;wtf/StdLibExtras.h&gt;
</span><span class="lines">@@ -553,14 +555,17 @@
</span><span class="cx"> class Vector : private VectorBuffer&lt;T, inlineCapacity&gt; {
</span><span class="cx">     WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> private:
</span><ins>+
</ins><span class="cx">     typedef VectorBuffer&lt;T, inlineCapacity&gt; Base;
</span><span class="cx">     typedef VectorTypeOperations&lt;T&gt; TypeOperations;
</span><ins>+    typedef IndexedIteratorSelector&lt;Vector, OverflowHandler&gt; IteratorSelector;
</ins><span class="cx"> 
</span><span class="cx"> public:
</span><span class="cx">     typedef T ValueType;
</span><span class="cx"> 
</span><del>-    typedef T* iterator;
-    typedef const T* const_iterator;
</del><ins>+    typedef typename IteratorSelector::iterator iterator;
+    typedef typename IteratorSelector::const_iterator const_iterator;
+
</ins><span class="cx">     typedef std::reverse_iterator&lt;iterator&gt; reverse_iterator;
</span><span class="cx">     typedef std::reverse_iterator&lt;const_iterator&gt; const_reverse_iterator;
</span><span class="cx"> 
</span><span class="lines">@@ -573,14 +578,14 @@
</span><span class="cx">         : Base(size, size)
</span><span class="cx">     {
</span><span class="cx">         if (begin())
</span><del>-            TypeOperations::initialize(begin(), end());
</del><ins>+            TypeOperations::initialize(getPtr(begin()), getPtr(end()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     Vector(size_t size, const T&amp; val)
</span><span class="cx">         : Base(size, size)
</span><span class="cx">     {
</span><span class="cx">         if (begin())
</span><del>-            TypeOperations::uninitializedFill(begin(), end(), val);
</del><ins>+            TypeOperations::uninitializedFill(getPtr(begin()), getPtr(end()), val);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     Vector(std::initializer_list&lt;T&gt; initializerList)
</span><span class="lines">@@ -644,10 +649,10 @@
</span><span class="cx">     const T* data() const { return Base::buffer(); }
</span><span class="cx">     static ptrdiff_t dataMemoryOffset() { return Base::bufferMemoryOffset(); }
</span><span class="cx"> 
</span><del>-    iterator begin() { return data(); }
-    iterator end() { return begin() + m_size; }
-    const_iterator begin() const { return data(); }
-    const_iterator end() const { return begin() + m_size; }
</del><ins>+    iterator begin() { return IteratorSelector::makeIterator(*this, data()); }
+    iterator end() { return begin() + size(); }
+    const_iterator begin() const { return IteratorSelector::makeConstIterator(*this, data()); }
+    const_iterator end() const { return begin() + size(); }
</ins><span class="cx"> 
</span><span class="cx">     reverse_iterator rbegin() { return reverse_iterator(end()); }
</span><span class="cx">     reverse_iterator rend() { return reverse_iterator(begin()); }
</span><span class="lines">@@ -682,6 +687,7 @@
</span><span class="cx"> 
</span><span class="cx">     void clear() { shrinkCapacity(0); }
</span><span class="cx"> 
</span><ins>+    void append(const_iterator, size_t);
</ins><span class="cx">     template&lt;typename U&gt; void append(const U*, size_t);
</span><span class="cx">     template&lt;typename U&gt; void append(U&amp;&amp;);
</span><span class="cx">     template&lt;typename U&gt; void uncheckedAppend(U&amp;&amp; val);
</span><span class="lines">@@ -745,7 +751,7 @@
</span><span class="cx">     : Base(other.capacity(), other.size())
</span><span class="cx"> {
</span><span class="cx">     if (begin())
</span><del>-        TypeOperations::uninitializedCopy(other.begin(), other.end(), begin());
</del><ins>+        TypeOperations::uninitializedCopy(getPtr(other.begin()), getPtr(other.end()), getPtr(begin()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
</span><span class="lines">@@ -754,7 +760,7 @@
</span><span class="cx">     : Base(other.capacity(), other.size())
</span><span class="cx"> {
</span><span class="cx">     if (begin())
</span><del>-        TypeOperations::uninitializedCopy(other.begin(), other.end(), begin());
</del><ins>+        TypeOperations::uninitializedCopy(getPtr(other.begin()), getPtr(other.end()), getPtr(begin()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
</span><span class="lines">@@ -771,8 +777,8 @@
</span><span class="cx">         ASSERT(begin());
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    std::copy(other.begin(), other.begin() + size(), begin());
-    TypeOperations::uninitializedCopy(other.begin() + size(), other.end(), end());
</del><ins>+    std::copy(getPtr(other.begin()), getPtr(other.begin() + size()), getPtr(begin()));
+    TypeOperations::uninitializedCopy(getPtr(other.begin() + size()), getPtr(other.end()), getPtr(end()));
</ins><span class="cx">     m_size = other.size();
</span><span class="cx"> 
</span><span class="cx">     return *this;
</span><span class="lines">@@ -796,9 +802,9 @@
</span><span class="cx">         reserveCapacity(other.size());
</span><span class="cx">         ASSERT(begin());
</span><span class="cx">     }
</span><del>-    
-    std::copy(other.begin(), other.begin() + size(), begin());
-    TypeOperations::uninitializedCopy(other.begin() + size(), other.end(), end());
</del><ins>+
+    std::copy(getPtr(other.begin()), getPtr(other.begin() + size()), getPtr(begin()));
+    TypeOperations::uninitializedCopy(getPtr(other.begin() + size()), getPtr(other.end()), getPtr(end()));
</ins><span class="cx">     m_size = other.size();
</span><span class="cx"> 
</span><span class="cx">     return *this;
</span><span class="lines">@@ -858,8 +864,8 @@
</span><span class="cx">         ASSERT(begin());
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    std::fill(begin(), end(), val);
-    TypeOperations::uninitializedFill(end(), begin() + newSize, val);
</del><ins>+    std::fill(getPtr(begin()), getPtr(end()), val);
+    TypeOperations::uninitializedFill(getPtr(end()), getPtr(begin()) + newSize, val);
</ins><span class="cx">     m_size = newSize;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -880,13 +886,13 @@
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
</span><span class="cx"> T* Vector&lt;T, inlineCapacity, OverflowHandler&gt;::expandCapacity(size_t newMinCapacity, T* ptr)
</span><span class="cx"> {
</span><del>-    if (ptr &lt; begin() || ptr &gt;= end()) {
</del><ins>+    if (ptr &lt; getPtr(begin()) || ptr &gt;= getPtr(end())) {
</ins><span class="cx">         expandCapacity(newMinCapacity);
</span><span class="cx">         return ptr;
</span><span class="cx">     }
</span><span class="cx">     size_t index = ptr - begin();
</span><span class="cx">     expandCapacity(newMinCapacity);
</span><del>-    return begin() + index;
</del><ins>+    return getPtr(begin() + index);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
</span><span class="lines">@@ -898,15 +904,15 @@
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
</span><span class="cx"> const T* Vector&lt;T, inlineCapacity, OverflowHandler&gt;::tryExpandCapacity(size_t newMinCapacity, const T* ptr)
</span><span class="cx"> {
</span><del>-    if (ptr &lt; begin() || ptr &gt;= end()) {
</del><ins>+    if (ptr &lt; getPtr(begin()) || ptr &gt;= getPtr(end())) {
</ins><span class="cx">         if (!tryExpandCapacity(newMinCapacity))
</span><span class="cx">             return 0;
</span><span class="cx">         return ptr;
</span><span class="cx">     }
</span><del>-    size_t index = ptr - begin();
</del><ins>+    size_t index = (ptr - begin());
</ins><span class="cx">     if (!tryExpandCapacity(newMinCapacity))
</span><span class="cx">         return 0;
</span><del>-    return begin() + index;
</del><ins>+    return getPtr(begin()) + index;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt; template&lt;typename U&gt;
</span><span class="lines">@@ -920,12 +926,12 @@
</span><span class="cx"> inline void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::resize(size_t size)
</span><span class="cx"> {
</span><span class="cx">     if (size &lt;= m_size)
</span><del>-        TypeOperations::destruct(begin() + size, end());
</del><ins>+        TypeOperations::destruct(getPtr(begin()) + size, getPtr(end()));
</ins><span class="cx">     else {
</span><span class="cx">         if (size &gt; capacity())
</span><span class="cx">             expandCapacity(size);
</span><span class="cx">         if (begin())
</span><del>-            TypeOperations::initialize(end(), begin() + size);
</del><ins>+            TypeOperations::initialize(getPtr(end()), getPtr(begin()) + size);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     m_size = size;
</span><span class="lines">@@ -942,7 +948,7 @@
</span><span class="cx"> void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::shrink(size_t size)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(size &lt;= m_size);
</span><del>-    TypeOperations::destruct(begin() + size, end());
</del><ins>+    TypeOperations::destruct(getPtr(begin()) + size, getPtr(end()));
</ins><span class="cx">     m_size = size;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -953,7 +959,7 @@
</span><span class="cx">     if (size &gt; capacity())
</span><span class="cx">         expandCapacity(size);
</span><span class="cx">     if (begin())
</span><del>-        TypeOperations::initialize(end(), begin() + size);
</del><ins>+        TypeOperations::initialize(getPtr(end()), getPtr(begin()) + size);
</ins><span class="cx">     m_size = size;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -962,11 +968,11 @@
</span><span class="cx"> {
</span><span class="cx">     if (newCapacity &lt;= capacity())
</span><span class="cx">         return;
</span><del>-    T* oldBuffer = begin();
-    T* oldEnd = end();
</del><ins>+    T* oldBuffer = getPtr(begin());
+    T* oldEnd = getPtr(end());
</ins><span class="cx">     Base::allocateBuffer(newCapacity);
</span><span class="cx">     ASSERT(begin());
</span><del>-    TypeOperations::move(oldBuffer, oldEnd, begin());
</del><ins>+    TypeOperations::move(oldBuffer, oldEnd, getPtr(begin()));
</ins><span class="cx">     Base::deallocateBuffer(oldBuffer);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -975,12 +981,12 @@
</span><span class="cx"> {
</span><span class="cx">     if (newCapacity &lt;= capacity())
</span><span class="cx">         return true;
</span><del>-    T* oldBuffer = begin();
-    T* oldEnd = end();
</del><ins>+    T* oldBuffer = getPtr(begin());
+    T* oldEnd = getPtr(end());
</ins><span class="cx">     if (!Base::tryAllocateBuffer(newCapacity))
</span><span class="cx">         return false;
</span><span class="cx">     ASSERT(begin());
</span><del>-    TypeOperations::move(oldBuffer, oldEnd, begin());
</del><ins>+    TypeOperations::move(oldBuffer, oldEnd, getPtr(begin()));
</ins><span class="cx">     Base::deallocateBuffer(oldBuffer);
</span><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="lines">@@ -1003,17 +1009,17 @@
</span><span class="cx">     if (newCapacity &lt; size()) 
</span><span class="cx">         shrink(newCapacity);
</span><span class="cx"> 
</span><del>-    T* oldBuffer = begin();
</del><ins>+    T* oldBuffer = getPtr(begin());
</ins><span class="cx">     if (newCapacity &gt; 0) {
</span><span class="cx">         if (Base::shouldReallocateBuffer(newCapacity)) {
</span><span class="cx">             Base::reallocateBuffer(newCapacity);
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        T* oldEnd = end();
</del><ins>+        T* oldEnd = getPtr(end());
</ins><span class="cx">         Base::allocateBuffer(newCapacity);
</span><span class="cx">         if (begin() != oldBuffer)
</span><del>-            TypeOperations::move(oldBuffer, oldEnd, begin());
</del><ins>+            TypeOperations::move(oldBuffer, oldEnd, getPtr(begin()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     Base::deallocateBuffer(oldBuffer);
</span><span class="lines">@@ -1033,11 +1039,17 @@
</span><span class="cx">     }
</span><span class="cx">     if (newSize &lt; m_size)
</span><span class="cx">         CRASH();
</span><del>-    T* dest = end();
</del><ins>+    T* dest = getPtr(end());
</ins><span class="cx">     VectorCopier&lt;std::is_trivial&lt;T&gt;::value, U&gt;::uninitializedCopy(data, &amp;data[dataSize], dest);
</span><span class="cx">     m_size = newSize;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
+void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::append(const_iterator data, size_t dataSize)
+{
+    append(getPtr(data), dataSize);
+}
+
</ins><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt; template&lt;typename U&gt;
</span><span class="cx"> bool Vector&lt;T, inlineCapacity, OverflowHandler&gt;::tryAppend(const U* data, size_t dataSize)
</span><span class="cx"> {
</span><span class="lines">@@ -1050,7 +1062,7 @@
</span><span class="cx">     }
</span><span class="cx">     if (newSize &lt; m_size)
</span><span class="cx">         return false;
</span><del>-    T* dest = end();
</del><ins>+    T* dest = getPtr(end());
</ins><span class="cx">     VectorCopier&lt;std::is_trivial&lt;T&gt;::value, U&gt;::uninitializedCopy(data, &amp;data[dataSize], dest);
</span><span class="cx">     m_size = newSize;
</span><span class="cx">     return true;
</span><span class="lines">@@ -1060,7 +1072,7 @@
</span><span class="cx"> ALWAYS_INLINE void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::append(U&amp;&amp; value)
</span><span class="cx"> {
</span><span class="cx">     if (size() != capacity()) {
</span><del>-        new (NotNull, end()) T(std::forward&lt;U&gt;(value));
</del><ins>+        new (NotNull, getPtr(end())) T(std::forward&lt;U&gt;(value));
</ins><span class="cx">         ++m_size;
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="lines">@@ -1077,7 +1089,7 @@
</span><span class="cx">     ptr = expandCapacity(size() + 1, ptr);
</span><span class="cx">     ASSERT(begin());
</span><span class="cx"> 
</span><del>-    new (NotNull, end()) T(std::forward&lt;U&gt;(*ptr));
</del><ins>+    new (NotNull, getPtr(end())) T(std::forward&lt;U&gt;(*ptr));
</ins><span class="cx">     ++m_size;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1090,14 +1102,14 @@
</span><span class="cx">     ASSERT(size() &lt; capacity());
</span><span class="cx"> 
</span><span class="cx">     auto ptr = std::addressof(value);
</span><del>-    new (NotNull, end()) T(std::forward&lt;U&gt;(*ptr));
</del><ins>+    new (NotNull, getPtr(end())) T(std::forward&lt;U&gt;(*ptr));
</ins><span class="cx">     ++m_size;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt; template&lt;typename U, size_t otherCapacity&gt;
</span><span class="cx"> inline void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::appendVector(const Vector&lt;U, otherCapacity&gt;&amp; val)
</span><span class="cx"> {
</span><del>-    append(val.begin(), val.size());
</del><ins>+    append(getPtr(val.begin()), val.size());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt; template&lt;typename U&gt;
</span><span class="lines">@@ -1111,8 +1123,8 @@
</span><span class="cx">     }
</span><span class="cx">     if (newSize &lt; m_size)
</span><span class="cx">         CRASH();
</span><del>-    T* spot = begin() + position;
-    TypeOperations::moveOverlapping(spot, end(), spot + dataSize);
</del><ins>+    T* spot = getPtr(begin()) + position;
+    TypeOperations::moveOverlapping(spot, getPtr(end()), spot + dataSize);
</ins><span class="cx">     VectorCopier&lt;std::is_trivial&lt;T&gt;::value, U&gt;::uninitializedCopy(data, &amp;data[dataSize], spot);
</span><span class="cx">     m_size = newSize;
</span><span class="cx"> }
</span><span class="lines">@@ -1128,8 +1140,8 @@
</span><span class="cx">         ASSERT(begin());
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    T* spot = begin() + position;
-    TypeOperations::moveOverlapping(spot, end(), spot + 1);
</del><ins>+    T* spot = getPtr(begin()) + position;
+    TypeOperations::moveOverlapping(spot, getPtr(end()), spot + 1);
</ins><span class="cx">     new (NotNull, spot) T(std::forward&lt;U&gt;(*ptr));
</span><span class="cx">     ++m_size;
</span><span class="cx"> }
</span><span class="lines">@@ -1137,16 +1149,16 @@
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt; template&lt;typename U, size_t c&gt;
</span><span class="cx"> inline void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::insertVector(size_t position, const Vector&lt;U, c&gt;&amp; val)
</span><span class="cx"> {
</span><del>-    insert(position, val.begin(), val.size());
</del><ins>+    insert(position, getPtr(val.begin()), val.size());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T, size_t inlineCapacity, typename OverflowHandler&gt;
</span><span class="cx"> inline void Vector&lt;T, inlineCapacity, OverflowHandler&gt;::remove(size_t position)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_WITH_SECURITY_IMPLICATION(position &lt; size());
</span><del>-    T* spot = begin() + position;
</del><ins>+    T* spot = getPtr(begin()) + position;
</ins><span class="cx">     spot-&gt;~T();
</span><del>-    TypeOperations::moveOverlapping(spot + 1, end(), spot);
</del><ins>+    TypeOperations::moveOverlapping(spot + 1, getPtr(end()), spot);
</ins><span class="cx">     --m_size;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1155,10 +1167,10 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT_WITH_SECURITY_IMPLICATION(position &lt;= size());
</span><span class="cx">     ASSERT_WITH_SECURITY_IMPLICATION(position + length &lt;= size());
</span><del>-    T* beginSpot = begin() + position;
</del><ins>+    T* beginSpot = getPtr(begin()) + position;
</ins><span class="cx">     T* endSpot = beginSpot + length;
</span><span class="cx">     TypeOperations::destruct(beginSpot, endSpot); 
</span><del>-    TypeOperations::moveOverlapping(endSpot, end(), beginSpot);
</del><ins>+    TypeOperations::moveOverlapping(endSpot, getPtr(end()), beginSpot);
</ins><span class="cx">     m_size -= length;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/ChangeLog        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -1,3 +1,41 @@
</span><ins>+2014-12-15  Oliver Hunt  &lt;oliver@apple.com&gt;
+
+        Make sure range based iteration of Vector&lt;&gt; still receives bounds checking
+        https://bugs.webkit.org/show_bug.cgi?id=138821
+
+        Reviewed by Mark Lam.
+
+        Update to deal with different iterator type.
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::deserializeString):
+        * editing/TextIterator.cpp:
+        (WebCore::SearchBuffer::isBadMatch):
+        * page/mac/ServicesOverlayController.mm:
+        (WebCore::ServicesOverlayController::buildSelectionHighlight):
+        * platform/graphics/SegmentedFontData.cpp:
+        (WebCore::SegmentedFontData::fontDataForCharacter):
+        (WebCore::SegmentedFontData::containsCharacter):
+        (WebCore::SegmentedFontData::isLoading):
+        * platform/graphics/WOFFFileFormat.cpp:
+        (WebCore::convertWOFFToSfnt):
+        * platform/graphics/cairo/GradientCairo.cpp:
+        (WebCore::Gradient::platformGradient):
+        * platform/image-decoders/gif/GIFImageDecoder.cpp:
+        (WebCore::GIFImageDecoder::clearFrameBufferCache):
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::paintFillLayers):
+        * rendering/style/GridResolvedPosition.cpp:
+        (WebCore::firstNamedGridLineBeforePosition):
+        (WebCore::GridResolvedPosition::resolveRowEndColumnEndNamedGridLinePositionAgainstOppositePosition):
+        * svg/SVGFontElement.cpp:
+        (WebCore::kerningForPairOfStringsAndGlyphs):
+        * svg/SVGPathByteStream.h:
+        (WebCore::SVGPathByteStream::append):
+        * xml/XPathNodeSet.h:
+        (WebCore::XPath::NodeSet::begin):
+        (WebCore::XPath::NodeSet::end):
+
</ins><span class="cx"> 2014-12-15  Chris Dumez  &lt;cdumez@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Move '-webkit-text-decoration-skip' to the new StyleBuilder
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsSerializedScriptValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -1442,8 +1442,8 @@
</span><span class="cx">     {
</span><span class="cx">         if (buffer.isEmpty())
</span><span class="cx">             return String();
</span><del>-        const uint8_t* ptr = buffer.begin();
-        const uint8_t* end = buffer.end();
</del><ins>+        const uint8_t* ptr = getPtr(buffer.begin());
+        const uint8_t* end = getPtr(buffer.end());
</ins><span class="cx">         uint32_t version;
</span><span class="cx">         if (!readLittleEndian(ptr, end, version) || version &gt; CurrentVersion)
</span><span class="cx">             return String();
</span></span></pre></div>
<a id="trunkSourceWebCoreeditingTextIteratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/editing/TextIterator.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/editing/TextIterator.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/editing/TextIterator.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -2073,11 +2073,11 @@
</span><span class="cx">     // creating a new one each time.
</span><span class="cx">     normalizeCharacters(match, matchLength, m_normalizedMatch);
</span><span class="cx"> 
</span><del>-    const UChar* a = m_normalizedTarget.begin();
-    const UChar* aEnd = m_normalizedTarget.end();
</del><ins>+    const UChar* a = getPtr(m_normalizedTarget.begin());
+    const UChar* aEnd = getPtr(m_normalizedTarget.end());
</ins><span class="cx"> 
</span><del>-    const UChar* b = m_normalizedMatch.begin();
-    const UChar* bEnd = m_normalizedMatch.end();
</del><ins>+    const UChar* b = getPtr(m_normalizedMatch.begin());
+    const UChar* bEnd = getPtr(m_normalizedMatch.end());
</ins><span class="cx"> 
</span><span class="cx">     while (true) {
</span><span class="cx">         // Skip runs of non-kana-letter characters. This is necessary so we can
</span></span></pre></div>
<a id="trunkSourceWebCorepagemacServicesOverlayControllermm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/mac/ServicesOverlayController.mm (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/mac/ServicesOverlayController.mm        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/page/mac/ServicesOverlayController.mm        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -542,7 +542,7 @@
</span><span class="cx"> 
</span><span class="cx">         if (!cgRects.isEmpty()) {
</span><span class="cx">             CGRect visibleRect = mainFrameView-&gt;visibleContentRect();
</span><del>-            RetainPtr&lt;DDHighlightRef&gt; ddHighlight = adoptCF(DDHighlightCreateWithRectsInVisibleRectWithStyleAndDirection(nullptr, cgRects.begin(), cgRects.size(), visibleRect, DDHighlightStyleBubbleNone | DDHighlightStyleStandardIconArrow | DDHighlightStyleButtonShowAlways, YES, NSWritingDirectionNatural, NO, YES));
</del><ins>+            RetainPtr&lt;DDHighlightRef&gt; ddHighlight = adoptCF(DDHighlightCreateWithRectsInVisibleRectWithStyleAndDirection(nullptr, cgRects.data(), cgRects.size(), visibleRect, DDHighlightStyleBubbleNone | DDHighlightStyleStandardIconArrow | DDHighlightStyleButtonShowAlways, YES, NSWritingDirectionNatural, NO, YES));
</ins><span class="cx">             
</span><span class="cx">             newPotentialHighlights.add(Highlight::createForSelection(*this, ddHighlight, selectionRange));
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsSegmentedFontDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/SegmentedFontData.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/SegmentedFontData.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/platform/graphics/SegmentedFontData.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -39,8 +39,8 @@
</span><span class="cx"> 
</span><span class="cx"> const SimpleFontData* SegmentedFontData::fontDataForCharacter(UChar32 c) const
</span><span class="cx"> {
</span><del>-    Vector&lt;FontDataRange&gt;::const_iterator end = m_ranges.end();
-    for (Vector&lt;FontDataRange&gt;::const_iterator it = m_ranges.begin(); it != end; ++it) {
</del><ins>+    auto end = m_ranges.end();
+    for (auto it = m_ranges.begin(); it != end; ++it) {
</ins><span class="cx">         if (it-&gt;from() &lt;= c &amp;&amp; it-&gt;to() &gt;= c)
</span><span class="cx">             return it-&gt;fontData().get();
</span><span class="cx">     }
</span><span class="lines">@@ -49,8 +49,8 @@
</span><span class="cx"> 
</span><span class="cx"> bool SegmentedFontData::containsCharacter(UChar32 c) const
</span><span class="cx"> {
</span><del>-    Vector&lt;FontDataRange&gt;::const_iterator end = m_ranges.end();
-    for (Vector&lt;FontDataRange&gt;::const_iterator it = m_ranges.begin(); it != end; ++it) {
</del><ins>+    auto end = m_ranges.end();
+    for (auto it = m_ranges.begin(); it != end; ++it) {
</ins><span class="cx">         if (c &gt;= it-&gt;from() &amp;&amp; c &lt;= it-&gt;to())
</span><span class="cx">             return true;
</span><span class="cx">     }
</span><span class="lines">@@ -76,8 +76,8 @@
</span><span class="cx"> 
</span><span class="cx"> bool SegmentedFontData::isLoading() const
</span><span class="cx"> {
</span><del>-    Vector&lt;FontDataRange&gt;::const_iterator end = m_ranges.end();
-    for (Vector&lt;FontDataRange&gt;::const_iterator it = m_ranges.begin(); it != end; ++it) {
</del><ins>+    auto end = m_ranges.end();
+    for (auto it = m_ranges.begin(); it != end; ++it) {
</ins><span class="cx">         if (it-&gt;fontData()-&gt;isLoading())
</span><span class="cx">             return true;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsWOFFFileFormatcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/WOFFFileFormat.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/WOFFFileFormat.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/platform/graphics/WOFFFileFormat.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -200,7 +200,7 @@
</span><span class="cx">             uLongf destLen = tableOrigLength;
</span><span class="cx">             if (!sfnt.tryReserveCapacity(sfnt.size() + tableOrigLength))
</span><span class="cx">                 return false;
</span><del>-            Bytef* dest = reinterpret_cast&lt;Bytef*&gt;(sfnt.end());
</del><ins>+            Bytef* dest = reinterpret_cast&lt;Bytef*&gt;(getPtr(sfnt.end()));
</ins><span class="cx">             sfnt.grow(sfnt.size() + tableOrigLength);
</span><span class="cx">             if (uncompress(dest, &amp;destLen, reinterpret_cast&lt;const Bytef*&gt;(woff-&gt;data() + tableOffset), tableCompLength) != Z_OK)
</span><span class="cx">                 return false;
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicscairoGradientCairocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/cairo/GradientCairo.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/cairo/GradientCairo.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/platform/graphics/cairo/GradientCairo.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">     else
</span><span class="cx">         m_gradient = cairo_pattern_create_linear(m_p0.x(), m_p0.y(), m_p1.x(), m_p1.y());
</span><span class="cx"> 
</span><del>-    Vector&lt;ColorStop&gt;::iterator stopIterator = m_stops.begin();
</del><ins>+    auto stopIterator = m_stops.begin();
</ins><span class="cx">     while (stopIterator != m_stops.end()) {
</span><span class="cx">         cairo_pattern_add_color_stop_rgba(m_gradient, stopIterator-&gt;stop,
</span><span class="cx">                                           stopIterator-&gt;red, stopIterator-&gt;green, stopIterator-&gt;blue,
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformimagedecodersgifGIFImageDecodercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -145,7 +145,7 @@
</span><span class="cx">     // always use ImageSource::clear(true, ...) to completely free the memory in
</span><span class="cx">     // this case.
</span><span class="cx">     clearBeforeFrame = std::min(clearBeforeFrame, m_frameBufferCache.size() - 1);
</span><del>-    const Vector&lt;ImageFrame&gt;::iterator end(m_frameBufferCache.begin() + clearBeforeFrame);
</del><ins>+    const auto end = m_frameBufferCache.begin() + clearBeforeFrame;
</ins><span class="cx"> 
</span><span class="cx">     // We need to preserve frames such that:
</span><span class="cx">     //   * We don't clear |end|
</span><span class="lines">@@ -165,14 +165,14 @@
</span><span class="cx">     //   * If the frame is partial, we're decoding it, so don't clear it; if it
</span><span class="cx">     //     has a disposal method other than DisposeOverwritePrevious, stop
</span><span class="cx">     //     scanning, as we'll only need this frame when decoding the next one.
</span><del>-    Vector&lt;ImageFrame&gt;::iterator i(end);
</del><ins>+    auto i = end;
</ins><span class="cx">     for (; (i != m_frameBufferCache.begin()) &amp;&amp; ((i-&gt;status() == ImageFrame::FrameEmpty) || (i-&gt;disposalMethod() == ImageFrame::DisposeOverwritePrevious)); --i) {
</span><span class="cx">         if ((i-&gt;status() == ImageFrame::FrameComplete) &amp;&amp; (i != end))
</span><span class="cx">             i-&gt;clearPixelData();
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Now |i| holds the last frame we need to preserve; clear prior frames.
</span><del>-    for (Vector&lt;ImageFrame&gt;::iterator j(m_frameBufferCache.begin()); j != i; ++j) {
</del><ins>+    for (auto j = m_frameBufferCache.begin(); j != i; ++j) {
</ins><span class="cx">         ASSERT(j-&gt;status() != ImageFrame::FramePartial);
</span><span class="cx">         if (j-&gt;status() != ImageFrame::FrameEmpty)
</span><span class="cx">             j-&gt;clearPixelData();
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderBoxcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderBox.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -1577,8 +1577,8 @@
</span><span class="cx">         context-&gt;beginTransparencyLayer(1);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Vector&lt;const FillLayer*&gt;::const_reverse_iterator topLayer = layers.rend();
-    for (Vector&lt;const FillLayer*&gt;::const_reverse_iterator it = layers.rbegin(); it != topLayer; ++it)
</del><ins>+    auto topLayer = layers.rend();
+    for (auto it = layers.rbegin(); it != topLayer; ++it)
</ins><span class="cx">         paintFillLayer(paintInfo, c, *it, rect, bleedAvoidance, op, backgroundObject, baseBgColorUsage);
</span><span class="cx"> 
</span><span class="cx">     if (shouldDrawBackgroundInSeparateBuffer)
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingstyleGridResolvedPositioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/style/GridResolvedPosition.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/style/GridResolvedPosition.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/rendering/style/GridResolvedPosition.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -295,7 +295,7 @@
</span><span class="cx">     // already converted to an index in our grid representation (ie one was removed from the grid line to account for
</span><span class="cx">     // the side).
</span><span class="cx">     unsigned firstLineBeforePositionIndex = 0;
</span><del>-    const unsigned* firstLineBeforePosition = std::lower_bound(gridLines.begin(), gridLines.end(), position);
</del><ins>+    auto firstLineBeforePosition = std::lower_bound(gridLines.begin(), gridLines.end(), position);
</ins><span class="cx">     if (firstLineBeforePosition != gridLines.end()) {
</span><span class="cx">         if (*firstLineBeforePosition &gt; position &amp;&amp; firstLineBeforePosition != gridLines.begin())
</span><span class="cx">             --firstLineBeforePosition;
</span><span class="lines">@@ -316,9 +316,8 @@
</span><span class="cx"> 
</span><span class="cx"> std::unique_ptr&lt;GridSpan&gt; GridResolvedPosition::resolveRowEndColumnEndNamedGridLinePositionAgainstOppositePosition(const GridResolvedPosition&amp; resolvedOppositePosition, const GridPosition&amp; position, const Vector&lt;unsigned&gt;&amp; gridLines)
</span><span class="cx"> {
</span><del>-    ASSERT(gridLines.size());
</del><span class="cx">     unsigned firstLineAfterOppositePositionIndex = gridLines.size() - 1;
</span><del>-    const unsigned* firstLineAfterOppositePosition = std::upper_bound(gridLines.begin(), gridLines.end(), resolvedOppositePosition);
</del><ins>+    auto firstLineAfterOppositePosition = std::upper_bound(gridLines.begin(), gridLines.end(), resolvedOppositePosition);
</ins><span class="cx">     if (firstLineAfterOppositePosition != gridLines.end())
</span><span class="cx">         firstLineAfterOppositePositionIndex = firstLineAfterOppositePosition - gridLines.begin();
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoresvgSVGFontElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/svg/SVGFontElement.cpp (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/svg/SVGFontElement.cpp        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/svg/SVGFontElement.cpp        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -252,31 +252,31 @@
</span><span class="cx"> {
</span><span class="cx">     if (!g1.isEmpty() &amp;&amp; kerningMap.glyphMap.contains(g1)) {
</span><span class="cx">         SVGKerningVector* kerningVector = kerningMap.glyphMap.get(g1);
</span><del>-        SVGKerningVector::const_iterator it = kerningVector-&gt;end() - 1;
-        const SVGKerningVector::const_iterator begin = kerningVector-&gt;begin() - 1;
-        for (; it != begin; --it) {
-            if (matches(u2, g2, *it))
-                return it-&gt;kerning;
</del><ins>+        size_t it = kerningVector-&gt;size();
+        while (it-- &gt; 0) {
+            auto&amp; value = kerningVector-&gt;at(it);
+            if (matches(u2, g2, value))
+                return value.kerning;
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (!u1.isEmpty()) {
</span><span class="cx">         if (kerningMap.unicodeMap.contains(u1)) {
</span><span class="cx">             SVGKerningVector* kerningVector = kerningMap.unicodeMap.get(u1);
</span><del>-            SVGKerningVector::const_iterator it = kerningVector-&gt;end() - 1;
-            const SVGKerningVector::const_iterator begin = kerningVector-&gt;begin() - 1;
-            for (; it != begin; --it) {
-                if (matches(u2, g2, *it))
-                    return it-&gt;kerning;
</del><ins>+            size_t it = kerningVector-&gt;size();
+            while (it-- &gt; 0) {
+                auto&amp; value = kerningVector-&gt;at(it);
+                if (matches(u2, g2, value))
+                    return value.kerning;
</ins><span class="cx">             }
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         if (!kerningMap.kerningUnicodeRangeMap.isEmpty()) {
</span><del>-            Vector&lt;SVGKerningPair&gt;::const_iterator it = kerningMap.kerningUnicodeRangeMap.end() - 1;
-            const Vector&lt;SVGKerningPair&gt;::const_iterator begin = kerningMap.kerningUnicodeRangeMap.begin() - 1;
-            for (; it != begin; --it) {
-                if (matches(u1, u2, g2, *it))
-                    return it-&gt;kerning;
</del><ins>+            size_t it = kerningMap.kerningUnicodeRangeMap.size();
+            while (it-- &gt; 0) {
+                auto&amp; value = kerningMap.kerningUnicodeRangeMap[it];
+                if (matches(u1, u2, g2, value))
+                    return value.kerning;
</ins><span class="cx">             }
</span><span class="cx">         }
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceWebCoresvgSVGPathByteStreamh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/svg/SVGPathByteStream.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/svg/SVGPathByteStream.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/svg/SVGPathByteStream.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -60,8 +60,8 @@
</span><span class="cx">     void append(unsigned char byte) { m_data.append(byte); }
</span><span class="cx">     void append(SVGPathByteStream* other)
</span><span class="cx">     {
</span><del>-        for (DataIterator it = other-&gt;begin(); it != other-&gt;end(); ++it)
-            append(*it);
</del><ins>+        for (auto&amp; byte : *other)
+            append(byte);
</ins><span class="cx">     }
</span><span class="cx">     void clear() { m_data.clear(); }
</span><span class="cx">     bool isEmpty() const { return !m_data.size(); }
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXPathNodeSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XPathNodeSet.h (177283 => 177284)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XPathNodeSet.h        2014-12-15 18:02:46 UTC (rev 177283)
+++ trunk/Source/WebCore/xml/XPathNodeSet.h        2014-12-15 18:04:58 UTC (rev 177284)
</span><span class="lines">@@ -64,8 +64,8 @@
</span><span class="cx">             void markSubtreesDisjoint(bool disjoint) { m_subtreesAreDisjoint = disjoint; }
</span><span class="cx">             bool subtreesAreDisjoint() const { return m_subtreesAreDisjoint || m_nodes.size() &lt; 2; }
</span><span class="cx"> 
</span><del>-            const RefPtr&lt;Node&gt;* begin() const { return m_nodes.begin(); }
-            const RefPtr&lt;Node&gt;* end() const { return m_nodes.end(); }
</del><ins>+            const Vector&lt;RefPtr&lt;Node&gt;&gt;::iterator begin() const { return m_nodes.begin(); }
+            const Vector&lt;RefPtr&lt;Node&gt;&gt;::iterator end() const { return m_nodes.end(); }
</ins><span class="cx"> 
</span><span class="cx">         private:
</span><span class="cx">             void traversalSort() const;
</span></span></pre>
</div>
</div>

</body>
</html>