<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[193899] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/193899">193899</a></dd>
<dt>Author</dt> <dd>youenn.fablet@crf.canon.fr</dd>
<dt>Date</dt> <dd>2015-12-10 02:50:47 -0800 (Thu, 10 Dec 2015)</dd>
</dl>

<h3>Log Message</h3>
<pre>JSC Builtins should use safe array methods
https://bugs.webkit.org/show_bug.cgi?id=151501

Reviewed by Darin Adler.

Source/JavaScriptCore:

Adding @push and @shift to Array prototype.
Using @push in TypedArray built-in.

Covered by added test in LayoutTests/js/builtins

* builtins/TypedArray.prototype.js:
(filter):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
* runtime/CommonIdentifiers.h:

Source/WebCore:

Using @push and @shift in internal arrays in lieu of push and shift.
This cannot be disrupted by user scripts except if arrays are also made accessible to user scripts.

Covered by added tests for ReadableStream constructs.

* Modules/mediastream/RTCPeerConnectionInternals.js:
(runNext):
(enqueueOperation):
* Modules/streams/ReadableStreamInternals.js:
(enqueueInReadableStream):
(readFromReadableStreamReader):
* Modules/streams/StreamInternals.js:
(dequeueValue):
(enqueueValueWithSize):

LayoutTests:

Adding shielding test for TypedArray.prototype.filter and stream enqueuing of values and read promises.

* js/builtins/resources/shielding-typedarray.js: Added.
(Array.prototype.push):
(try.array.Int8Array.from.string_appeared_here.filter):
* js/builtins/shielding-typedarray-expected.txt: Added.
* js/builtins/shielding-typedarray.html: Added.
* streams/streams-promises-expected.txt:
* streams/streams-promises.html:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsstreamsstreamspromisesexpectedtxt">trunk/LayoutTests/streams/streams-promises-expected.txt</a></li>
<li><a href="#trunkLayoutTestsstreamsstreamspromiseshtml">trunk/LayoutTests/streams/streams-promises.html</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebuiltinsTypedArrayPrototypejs">trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypecpp">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonIdentifiersh">trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModulesmediastreamRTCPeerConnectionInternalsjs">trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js</a></li>
<li><a href="#trunkSourceWebCoreModulesstreamsReadableStreamInternalsjs">trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js</a></li>
<li><a href="#trunkSourceWebCoreModulesstreamsStreamInternalsjs">trunk/Source/WebCore/Modules/streams/StreamInternals.js</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li>trunk/LayoutTests/js/builtins/</li>
<li>trunk/LayoutTests/js/builtins/resources/</li>
<li><a href="#trunkLayoutTestsjsbuiltinsresourcesshieldingtypedarrayjs">trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js</a></li>
<li><a href="#trunkLayoutTestsjsbuiltinsshieldingtypedarrayexpectedtxt">trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsbuiltinsshieldingtypedarrayhtml">trunk/LayoutTests/js/builtins/shielding-typedarray.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/LayoutTests/ChangeLog        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2015-12-10  Youenn Fablet  &lt;youenn.fablet@crf.canon.fr&gt;
+
+        JSC Builtins should use safe array methods
+        https://bugs.webkit.org/show_bug.cgi?id=151501
+
+        Reviewed by Darin Adler.
+
+        Adding shielding test for TypedArray.prototype.filter and stream enqueuing of values and read promises.
+
+        * js/builtins/resources/shielding-typedarray.js: Added.
+        (Array.prototype.push):
+        (try.array.Int8Array.from.string_appeared_here.filter):
+        * js/builtins/shielding-typedarray-expected.txt: Added.
+        * js/builtins/shielding-typedarray.html: Added.
+        * streams/streams-promises-expected.txt:
+        * streams/streams-promises.html:
+
</ins><span class="cx"> 2015-12-10  Carlos Garcia Campos  &lt;cgarcia@igalia.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Unreviewed. GTK+ gardening: skip HLS tests crashing in debug after r192102.
</span></span></pre></div>
<a id="trunkLayoutTestsjsbuiltinsresourcesshieldingtypedarrayjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js (0 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js                                (rev 0)
+++ trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+description(&quot;Test to ensure TypedArray filter is shielded from Array.prototype.push modifications&quot;);
+
+const ArrayPrototypePushBackup = Array.prototype.push;
+Array.prototype.push = function()
+{
+    testFailed(&quot;Int8Array.prototype.push should not be called by builtin code&quot;);
+    return ArrayPrototypePushBackup.apply(this, arguments);
+}
+
+try {
+    array = Int8Array.from(&quot;1234&quot;).filter(function(value) {
+        return value === 1;
+    });
+    shouldBeTrue(&quot;array.length === 1&quot;);
+}
+finally {
+    Array.prototype.push = ArrayPrototypePushBackup;
+}
</ins></span></pre></div>
<a id="trunkLayoutTestsjsbuiltinsshieldingtypedarrayexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt (0 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt                                (rev 0)
+++ trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+Test to ensure TypedArray filter is shielded from Array.prototype.push modifications
+
+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.
+
+
+PASS array.length === 1 is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsbuiltinsshieldingtypedarrayhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/builtins/shielding-typedarray.html (0 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/builtins/shielding-typedarray.html                                (rev 0)
+++ trunk/LayoutTests/js/builtins/shielding-typedarray.html        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML//EN&quot;&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script src=&quot;../../resources/js-test-pre.js&quot;&gt;&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;script src=&quot;resources/shielding-typedarray.js&quot;&gt;&lt;/script&gt;
+&lt;script src=&quot;../../resources/js-test-post.js&quot;&gt;&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestsstreamsstreamspromisesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/streams/streams-promises-expected.txt (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/streams/streams-promises-expected.txt        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/LayoutTests/streams/streams-promises-expected.txt        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -9,4 +9,5 @@
</span><span class="cx"> PASS Streams should not directly use Number and related methods 
</span><span class="cx"> PASS Streams should not directly use ReadableStream public APIs 
</span><span class="cx"> PASS Streams should not directly use ReadableStreamReader read public API 
</span><ins>+PASS Streams should not directly use array public APIs 
</ins><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsstreamsstreamspromiseshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/streams/streams-promises.html (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/streams/streams-promises.html        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/LayoutTests/streams/streams-promises.html        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -149,4 +149,58 @@
</span><span class="cx">         assert_unreached(&quot;test should not throw&quot;);
</span><span class="cx">     }
</span><span class="cx"> }, 'Streams should not directly use ReadableStreamReader read public API');
</span><ins>+
+promise_test(function() {
+    const ArrayPushBackup = Array.prototype.push;
+    const ArrayShiftBackup = Array.prototype.shift;
+
+    // Use of testing variable to try not messing up testharness.js code.
+    // FIXME: this approach is far from perfect: push is used in case an assert fails.
+    // But cleanTest will not be called and we may end-up mask the real assertion failure by below assert_unreached messages.
+    // We might want to either improve testharness.js or  move these tests out of testharness.js.
+    let testing = true;
+    Array.prototype.push = function() {
+        if (testing) {
+            testing = false;
+            assert_unreached(&quot;Array.prototype.push called&quot;);
+        }
+        return ArrayPushBackup.apply(this, arguments);
+    }
+
+    Array.prototype.shift = function() {
+        if (testing) {
+            testing = false;
+            assert_unreached(&quot;Array.prototype.shift called&quot;);
+        }
+        return ArrayShiftBackup.call(this, arguments);
+    }
+
+    function cleanTest() {
+        Array.prototype.push = ArrayPushBackup;
+        Array.prototype.shift = ArrayShiftBackup;
+    }
+    try {
+        let _controller;
+        const reader = new ReadableStream({
+            start: function(controller) {
+                _controller = controller;
+            }
+        }).getReader();
+        // checking whether pushing/shifting pending read promises is shielded.
+        const readPromise = reader.read().then(function(result) {
+            assert_equals(result.value, &quot;half baked potato&quot;);
+            // checking whether pushing/shifting enqueued values is shielded.
+            _controller.enqueue(&quot;fully baked potato&quot;);
+            return reader.read().then(function(result) {
+                assert_equals(result.value, &quot;fully baked potato&quot;);
+                cleanTest();
+            }, cleanTest);
+        }, cleanTest);
+        _controller.enqueue(&quot;half baked potato&quot;);
+        return readPromise;
+    } catch (error) {
+        cleanTest();
+        return Promise.reject(error);
+    }
+}, 'Streams should not directly use array public APIs');
</ins><span class="cx"> &lt;/script&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/JavaScriptCore/ChangeLog        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2015-12-10  Youenn Fablet  &lt;youenn.fablet@crf.canon.fr&gt;
+
+        JSC Builtins should use safe array methods
+        https://bugs.webkit.org/show_bug.cgi?id=151501
+
+        Reviewed by Darin Adler.
+
+        Adding @push and @shift to Array prototype.
+        Using @push in TypedArray built-in.
+
+        Covered by added test in LayoutTests/js/builtins
+
+        * builtins/TypedArray.prototype.js:
+        (filter):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+        * runtime/CommonIdentifiers.h:
+
</ins><span class="cx"> 2015-12-08  Filip Pizlo  &lt;fpizlo@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         FTL B3 should have basic GetById support
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebuiltinsTypedArrayPrototypejs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -258,7 +258,7 @@
</span><span class="cx">     for (var i = 0; i &lt; length; i++) {
</span><span class="cx">         var value = this[i];
</span><span class="cx">         if (callback.@call(thisArg, value, i, this))
</span><del>-            kept.push(value);
</del><ins>+            kept.@push(value);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // FIXME: This should be a species constructor.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -24,6 +24,7 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;ArrayPrototype.h&quot;
</span><span class="cx"> 
</span><ins>+#include &quot;BuiltinNames.h&quot;
</ins><span class="cx"> #include &quot;ButterflyInlines.h&quot;
</span><span class="cx"> #include &quot;CachedCall.h&quot;
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="lines">@@ -95,9 +96,11 @@
</span><span class="cx">     JSC_BUILTIN_FUNCTION(&quot;fill&quot;, arrayPrototypeFillCodeGenerator, DontEnum);
</span><span class="cx">     JSC_NATIVE_FUNCTION(vm.propertyNames-&gt;join, arrayProtoFuncJoin, DontEnum, 1);
</span><span class="cx">     JSC_NATIVE_INTRINSIC_FUNCTION(&quot;pop&quot;, arrayProtoFuncPop, DontEnum, 0, ArrayPopIntrinsic);
</span><del>-    JSC_NATIVE_INTRINSIC_FUNCTION(&quot;push&quot;, arrayProtoFuncPush, DontEnum, 1, ArrayPushIntrinsic);
</del><ins>+    JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames-&gt;builtinNames().pushPublicName(), arrayProtoFuncPush, DontEnum, 1, ArrayPushIntrinsic);
+    JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames-&gt;builtinNames().pushPrivateName(), arrayProtoFuncPush, DontEnum | DontDelete | ReadOnly, 1, ArrayPushIntrinsic);
</ins><span class="cx">     JSC_NATIVE_FUNCTION(&quot;reverse&quot;, arrayProtoFuncReverse, DontEnum, 0);
</span><del>-    JSC_NATIVE_FUNCTION(&quot;shift&quot;, arrayProtoFuncShift, DontEnum, 0);
</del><ins>+    JSC_NATIVE_FUNCTION(vm.propertyNames-&gt;builtinNames().shiftPublicName(), arrayProtoFuncShift, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(vm.propertyNames-&gt;builtinNames().shiftPrivateName(), arrayProtoFuncShift, DontEnum | DontDelete | ReadOnly, 0);
</ins><span class="cx">     JSC_NATIVE_FUNCTION(vm.propertyNames-&gt;slice, arrayProtoFuncSlice, DontEnum, 2);
</span><span class="cx">     JSC_BUILTIN_FUNCTION(&quot;sort&quot;, arrayPrototypeSortCodeGenerator, DontEnum);
</span><span class="cx">     JSC_NATIVE_FUNCTION(&quot;splice&quot;, arrayProtoFuncSplice, DontEnum, 2);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonIdentifiersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -316,11 +316,13 @@
</span><span class="cx">     macro(promiseFulfillReactions) \
</span><span class="cx">     macro(promiseRejectReactions) \
</span><span class="cx">     macro(promiseResult) \
</span><ins>+    macro(push) \
</ins><span class="cx">     macro(capabilities) \
</span><span class="cx">     macro(starDefault) \
</span><span class="cx">     macro(InspectorInstrumentation) \
</span><span class="cx">     macro(get) \
</span><span class="cx">     macro(set) \
</span><ins>+    macro(shift) \
</ins><span class="cx">     macro(allocateTypedArray) \
</span><span class="cx">     macro(Int8Array) \
</span><span class="cx">     macro(Int16Array) \
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/ChangeLog        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2015-12-10  Youenn Fablet  &lt;youenn.fablet@crf.canon.fr&gt;
+
+        JSC Builtins should use safe array methods
+        https://bugs.webkit.org/show_bug.cgi?id=151501
+
+        Reviewed by Darin Adler.
+
+        Using @push and @shift in internal arrays in lieu of push and shift.
+        This cannot be disrupted by user scripts except if arrays are also made accessible to user scripts.
+
+        Covered by added tests for ReadableStream constructs.
+
+        * Modules/mediastream/RTCPeerConnectionInternals.js:
+        (runNext):
+        (enqueueOperation):
+        * Modules/streams/ReadableStreamInternals.js:
+        (enqueueInReadableStream):
+        (readFromReadableStreamReader):
+        * Modules/streams/StreamInternals.js:
+        (dequeueValue):
+        (enqueueValueWithSize):
+
</ins><span class="cx"> 2015-12-10  Zan Dobersek  &lt;zdobersek@igalia.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [TexMap] pixel coverage multiplication in TiledBackingStore can overflow
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesmediastreamRTCPeerConnectionInternalsjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -42,13 +42,13 @@
</span><span class="cx">     var operations = peerConnection.@operations;
</span><span class="cx"> 
</span><span class="cx">     function runNext() {
</span><del>-        operations.shift();
</del><ins>+        operations.@shift();
</ins><span class="cx">         if (operations.length)
</span><span class="cx">             operations[0]();
</span><span class="cx">     };
</span><span class="cx"> 
</span><span class="cx">     return new @Promise(function (resolve, reject) {
</span><del>-        operations.push(function() {
</del><ins>+        operations.@push(function() {
</ins><span class="cx">             operation().then(resolve, reject).then(runNext, runNext);
</span><span class="cx">         });
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesstreamsReadableStreamInternalsjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -315,7 +315,7 @@
</span><span class="cx">     if (stream.@state === @streamClosed)
</span><span class="cx">         return;
</span><span class="cx">     if (@isReadableStreamLocked(stream) &amp;&amp; stream.@reader.@readRequests.length) {
</span><del>-        stream.@reader.@readRequests.shift().@resolve.@call(undefined, {value: chunk, done: false});
</del><ins>+        stream.@reader.@readRequests.@shift().@resolve.@call(undefined, {value: chunk, done: false});
</ins><span class="cx">         @requestReadableStreamPull(stream);
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="lines">@@ -356,7 +356,7 @@
</span><span class="cx">         return @Promise.@resolve({value: chunk, done: false});
</span><span class="cx">     }
</span><span class="cx">     const readPromiseCapability = @newPromiseCapability(@Promise);
</span><del>-    reader.@readRequests.push(readPromiseCapability);
</del><ins>+    reader.@readRequests.@push(readPromiseCapability);
</ins><span class="cx">     @requestReadableStreamPull(stream);
</span><span class="cx">     return readPromiseCapability.@promise;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesstreamsStreamInternalsjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/streams/StreamInternals.js (193898 => 193899)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/streams/StreamInternals.js        2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/Modules/streams/StreamInternals.js        2015-12-10 10:50:47 UTC (rev 193899)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx"> {
</span><span class="cx">     &quot;use strict&quot;;
</span><span class="cx"> 
</span><del>-    const record = queue.content.shift();
</del><ins>+    const record = queue.content.@shift();
</ins><span class="cx">     queue.size -= record.size;
</span><span class="cx">     return record.value;
</span><span class="cx"> }
</span><span class="lines">@@ -111,7 +111,7 @@
</span><span class="cx">     size = @Number(size);
</span><span class="cx">     if (!@isFinite(size) || size &lt; 0)
</span><span class="cx">         throw new @RangeError(&quot;size has an incorrect value&quot;);
</span><del>-    queue.content.push({ value: value, size: size });
</del><ins>+    queue.content.@push({ value: value, size: size });
</ins><span class="cx">     queue.size += size;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>