<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[214815] releases/WebKitGTK/webkit-2.16</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/214815">214815</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2017-04-03 10:29:09 -0700 (Mon, 03 Apr 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/214714">r214714</a> - Object with numerical keys with gaps gets filled by NaN values
https://bugs.webkit.org/show_bug.cgi?id=164412
Reviewed by Mark Lam.
This patch fixes issue when object have two properties
with name as number. The issue appears when during invoking
convertDoubleToArrayStorage, array is filled by pNaN and
method converting it to real NaN. This happeneds because a
pNaN in a Double array is a hole, and Double arrays cannot
have NaN values. To fix issue we need to check value and
clear it if it pNaN.
Source/JavaScriptCore:
* runtime/JSObject.cpp:
(JSC::JSObject::convertDoubleToArrayStorage):
JSTests:
* stress/object-number-properties.js: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit216JSTestsChangeLog">releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit216SourceJavaScriptCoreruntimeJSObjectcpp">releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit216JSTestsstressobjectnumberpropertiesjs">releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit216JSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog (214814 => 214815)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog 2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog 2017-04-03 17:29:09 UTC (rev 214815)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2017-04-01 Oleksandr Skachkov <gskachkov@gmail.com>
+
+ Object with numerical keys with gaps gets filled by NaN values
+ https://bugs.webkit.org/show_bug.cgi?id=164412
+
+ Reviewed by Merk Lam.
+
+ * stress/object-number-properties.js: Added.
+ (assert):
+ (boo):
+
</ins><span class="cx"> 2017-03-23 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> [JSC] Use jsNontrivialString agressively for ToString(Int52)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216JSTestsstressobjectnumberpropertiesjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js (0 => 214815)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js (rev 0)
+++ releases/WebKitGTK/webkit-2.16/JSTests/stress/object-number-properties.js 2017-04-03 17:29:09 UTC (rev 214815)
</span><span class="lines">@@ -0,0 +1,82 @@
</span><ins>+function assert(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+var priceRanges = {
+ "1": 0.6,
+ "100": 0.45,
+ "250": 0.3,
+ "2000": 0.28
+};
+
+assert(Object.keys(priceRanges).length, 4);
+assert(Object.values(priceRanges).length, 4);
+assert(priceRanges[1], 0.6);
+assert(priceRanges[100], 0.45);
+assert(priceRanges[250], 0.3);
+assert(priceRanges[2000], 0.28);
+
+var ranges = {
+ "250" : 0.5,
+ "1000": 0.1
+};
+
+assert(Object.keys(ranges).length, 2);
+assert(Object.values(ranges).length, 2);
+assert(ranges[250], 0.5);
+assert(ranges[1000], 0.1);
+
+var r = {};
+
+r[250] = 0.1;
+r[1001] = 0.5;
+
+assert(Object.keys(r).length, 2);
+assert(Object.values(ranges).length, 2);
+
+assert(r[250], 0.1);
+assert(r[1001], 0.5);
+
+var foo = {};
+
+foo[100] = NaN;
+foo[250] = 0.1;
+foo[260] = NaN;
+foo[1000] = 0.5;
+
+assert(Object.keys(foo).length, 4);
+assert(Object.values(foo).length, 4);
+assert(isNaN(foo[100]), true);
+assert(foo[250], 0.1);
+assert(isNaN(foo[260]), true);
+assert(foo[1000], 0.5);
+
+var boo = function () {
+ return {
+ "250": 0.2,
+ "1000": 0.1
+ };
+};
+
+for (var i = 0; i < 10000; i++) {
+ const b = boo();
+ const keys = Object.keys(b);
+ const values = Object.values(b);
+
+ assert(keys.length, 2);
+ assert(values.length, 2);
+
+ assert(b[keys[0]], values[0]);
+ assert(b[keys[1]], values[1]);
+}
+
+var baz = {
+ "250": "A",
+ "1001": "B"
+};
+
+assert(Object.keys(baz).length, 2);
+assert(Object.values(baz).length, 2);
+assert(baz[250], "A");
+assert(baz[1001], "B");
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog (214814 => 214815)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog 2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog 2017-04-03 17:29:09 UTC (rev 214815)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2017-04-01 Oleksandr Skachkov <gskachkov@gmail.com>
+
+ Object with numerical keys with gaps gets filled by NaN values
+ https://bugs.webkit.org/show_bug.cgi?id=164412
+
+ Reviewed by Mark Lam.
+
+ This patch fixes issue when object have two properties
+ with name as number. The issue appears when during invoking
+ convertDoubleToArrayStorage, array is filled by pNaN and
+ method converting it to real NaN. This happeneds because a
+ pNaN in a Double array is a hole, and Double arrays cannot
+ have NaN values. To fix issue we need to check value and
+ clear it if it pNaN.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::convertDoubleToArrayStorage):
+
</ins><span class="cx"> 2017-03-31 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><span class="cx"> Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit216SourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp (214814 => 214815)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp 2017-04-03 17:24:23 UTC (rev 214814)
+++ releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp 2017-04-03 17:29:09 UTC (rev 214815)
</span><span class="lines">@@ -1288,9 +1288,12 @@
</span><span class="cx"> Butterfly* butterfly = m_butterfly.get();
</span><span class="cx"> for (unsigned i = 0; i < vectorLength; i++) {
</span><span class="cx"> double value = butterfly->contiguousDouble()[i];
</span><ins>+ if (value != value) {
+ newStorage->m_vector[i].clear();
+ continue;
+ }
</ins><span class="cx"> newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
</span><del>- if (value == value)
- newStorage->m_numValuesInVector++;
</del><ins>+ newStorage->m_numValuesInVector++;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> StructureID oldStructureID = this->structureID();
</span></span></pre>
</div>
</div>
</body>
</html>