delta/qt5/qtwebkit.git/Source/JavaScriptCore/runtime, branch 5.9.1 code.qt.io: qt/qtwebkit.git Fix compilation with ICU 59 2017-06-16T12:46:36+00:00 Konstantin Tokarev annulen@yandex.ru 2017-05-04T12:12:37+00:00 bf172ae289a1348842005a9421797970f9b72060 Upstream fix: https://bugs.webkit.org/show_bug.cgi?id=171612 Task-number: QTBUG-60532 Change-Id: I6014feea213aa70ebe40b09d9d1a03fd1ed3c843 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> 
Upstream fix: https://bugs.webkit.org/show_bug.cgi?id=171612

Task-number: QTBUG-60532
Change-Id: I6014feea213aa70ebe40b09d9d1a03fd1ed3c843
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Merge remote-tracking branch 'origin/5.4' into 5.5 2015-03-10T13:46:25+00:00 Allan Sandfeld Jensen allan.jensen@theqtcompany.com 2015-03-10T13:45:46+00:00 1ee472207c63905ab4455e676ee3ffd3263ab2cb Change-Id: I824a984e8552340c2f9f631ac951f2c9eaa90b74 
Change-Id: I824a984e8552340c2f9f631ac951f2c9eaa90b74
Fix two gcc 5.0 warnings 2015-03-06T10:58:10+00:00 Allan Sandfeld Jensen allan.jensen@theqtcompany.com 2015-03-06T10:38:49+00:00 5160ca54bb01b1d7bb0e6b359aa3d475df22e6f0 Improved warnings in gcc 5.0 has exposed some unclear expressions. Change-Id: I2c269528f6246319dab1a83d929d55c8d8e5a17d Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com> 
Improved warnings in gcc 5.0 has exposed some unclear expressions.

Change-Id: I2c269528f6246319dab1a83d929d55c8d8e5a17d
Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
Fix g++ 5.0 build 2015-03-06T10:57:54+00:00 Allan Sandfeld Jensen allan.jensen@theqtcompany.com 2015-03-06T10:20:13+00:00 650c6ee8e76bb574d3a1bea09e2494992d8f070e A non-inline template needs to be explicitly instantiated if used outside the object where it is declared. Patch suggested by Khem Raj. Task-number: QTBUG-44829 Change-Id: Ib0adbd9273bd1cef01e5863bc8aaa9c373022792 Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com> 
A non-inline template needs to be explicitly instantiated if used
outside the object where it is declared.

Patch suggested by Khem Raj.

Task-number: QTBUG-44829
Change-Id: Ib0adbd9273bd1cef01e5863bc8aaa9c373022792
Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
Merge remote-tracking branch 'origin/5.3' into 5.4 2014-10-14T12:08:44+00:00 Frederik Gladhorn frederik.gladhorn@theqtcompany.com 2014-10-14T12:08:44+00:00 5a45e3b78724563f05d62569d8ed31adc4ffd342 Change-Id: I509f0440296df39aece8133382aacc43a4e05f99 
Change-Id: I509f0440296df39aece8133382aacc43a4e05f99
Fix valgrind warning about uninitialized access 2014-10-06T15:31:36+00:00 Allan Sandfeld Jensen allan.jensen@digia.com 2014-10-06T15:12:05+00:00 ee0fcd2acc8ad5a300ed4e25880ccb95e704d3a6 A default cache-entry has a null String and an uninitialized key. We should therefore only try to use the key if the String is not null. Change-Id: Icd6819b96b9b650305cf0611b6b2978c07dc9196 Reviewed-by: Michael Bruning <michael.bruning@digia.com> 
A default cache-entry has a null String and an uninitialized key. We
should therefore only try to use the key if the String is not null.

Change-Id: Icd6819b96b9b650305cf0611b6b2978c07dc9196
Reviewed-by: Michael Bruning <michael.bruning@digia.com>
(un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole 2014-09-30T15:48:46+00:00 Mark Hahnenberg mhahnenberg@apple.com 2014-09-29T16:13:42+00:00 4d767a25f6169648580c4435cb5b7366e7ff5ee0 https://bugs.webkit.org/show_bug.cgi?id=121717 Reviewed by Oliver Hunt. Source/JavaScriptCore: This bug caused the array to become corrupted. We now check for holes before we start moving things, and start moving things only once we've determined that there are none. * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): Change-Id: I9948bfa2c9b4a345076f7f2b4e50a566f521b6fe git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156214 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=121717

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

This bug caused the array to become corrupted. We now check for holes before we start moving things,
and start moving things only once we've determined that there are none.

* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):

Change-Id: I9948bfa2c9b4a345076f7f2b4e50a566f521b6fe
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156214 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
compileMakeRope does not emit necessary bounds checks 2014-09-26T12:02:28+00:00 Filip Pizlo fpizlo@apple.com 2014-09-25T09:29:50+00:00 cf26dce826a7a6a2d14735c193c53b9103c4a369 https://bugs.webkit.org/show_bug.cgi?id=130684 <rdar://problem/16398388> Reviewed by Oliver Hunt. Add string length bounds checks in a bunch of places. We should never allow a string to have a length greater than 2^31-1 because it's not clear that the language has semantics for it and because there is code that assumes that this cannot happen. Also add a bunch of tests to that effect to cover the various ways in which this was previously allowed to happen. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMakeRope): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMakeRope): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): * runtime/JSString.h: (JSC::JSString::create): (JSC::JSRopeString::RopeBuilder::append): (JSC::JSRopeString::RopeBuilder::release): (JSC::JSRopeString::append): * runtime/Operations.h: (JSC::jsString): (JSC::jsStringFromRegisterArray): (JSC::jsStringFromArguments): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncIndexOf): (JSC::stringProtoFuncSlice): (JSC::stringProtoFuncSubstring): (JSC::stringProtoFuncToLowerCase): * tests/stress/make-large-string-jit-strcat.js: Added. (foo): * tests/stress/make-large-string-jit.js: Added. (foo): * tests/stress/make-large-string-strcat.js: Added. * tests/stress/make-large-string.js: Added. Change-Id: If01dd2a2d2daa3d209eddf0213d2b391e94f54a0 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167336 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=130684
<rdar://problem/16398388>

Reviewed by Oliver Hunt.

Add string length bounds checks in a bunch of places. We should never allow a string
to have a length greater than 2^31-1 because it's not clear that the language has
semantics for it and because there is code that assumes that this cannot happen.

Also add a bunch of tests to that effect to cover the various ways in which this was
previously allowed to happen.

* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMakeRope):
* runtime/JSString.cpp:
(JSC::JSRopeString::RopeBuilder::expand):
* runtime/JSString.h:
(JSC::JSString::create):
(JSC::JSRopeString::RopeBuilder::append):
(JSC::JSRopeString::RopeBuilder::release):
(JSC::JSRopeString::append):
* runtime/Operations.h:
(JSC::jsString):
(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
* tests/stress/make-large-string-jit-strcat.js: Added.
(foo):
* tests/stress/make-large-string-jit.js: Added.
(foo):
* tests/stress/make-large-string-strcat.js: Added.
* tests/stress/make-large-string.js: Added.

Change-Id: If01dd2a2d2daa3d209eddf0213d2b391e94f54a0
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167336 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
<https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption 2014-09-25T16:15:52+00:00 Mark Hahnenberg mhahnenberg@apple.com 2014-09-25T09:46:15+00:00 3a51e3ee766490fe6f9ab9511d19e16f75e07db8 Reviewed by Oliver Hunt. When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace. Instead, after we flatten a dictionary, if properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later. This patch does this clearing, and it also adds JSObject::checkStructure, which overrides JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check that the number of bytes reported to SlotVisitor::copyLater is non-zero. * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::genericConvertDoubleToContiguous): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::setPrototype): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::seal): (JSC::JSObject::freeze): (JSC::JSObject::preventExtensions): (JSC::JSObject::reifyStaticFunctionsForDelete): (JSC::JSObject::removeDirect): * runtime/JSObject.h: (JSC::JSObject::setButterfly): (JSC::JSObject::putDirectInternal): (JSC::JSObject::setStructure): (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
Reviewed by Oliver Hunt.

When we flatten an object in dictionary mode, we compact its properties. If the object
had out-of-line storage in the form of a Butterfly prior to this compaction, and after
compaction its properties fit inline, the object's Structure "forgets" that the object
has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes
with bytes = 0, which causes all sorts of badness in CopiedSpace.

Instead, after we flatten a dictionary, if properties fit inline we should clear the
Butterfly pointer so that the GC doesn't get confused later.

This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
that the number of bytes reported to SlotVisitor::copyLater is non-zero.

* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::copyLater):
* runtime/JSObject.cpp:
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToContiguous):
(JSC::JSObject::genericConvertDoubleToContiguous):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::setPrototype):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::seal):
(JSC::JSObject::freeze):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::reifyStaticFunctionsForDelete):
(JSC::JSObject::removeDirect):
* runtime/JSObject.h:
(JSC::JSObject::setButterfly):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructure):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it 2014-03-07T15:18:10+00:00 Mark Hahnenberg mhahnenberg@apple.com 2014-03-06T14:21:56+00:00 8a808a34c08d4e0ca109606dd8751b0d1fe53afd https://bugs.webkit.org/show_bug.cgi?id=120278 Reviewed by Geoffrey Garen. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): Change-Id: I034d6950683304d08a4e076d58fb1b999ade444b git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=120278

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

Change-Id: I034d6950683304d08a4e076d58fb1b999ade444b
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>