Merge remote-tracking branch 'origin/stable' into dev

Change-Id: Ibe8c6167bf9d9b6bd689b93ed7f5b94cdbd73ba7
author: Frederik Gladhorn <frederik.gladhorn@digia.com> 2013-05-23 13:14:13 +0200
committer: Frederik Gladhorn <frederik.gladhorn@digia.com> 2013-05-23 13:14:14 +0200
commit: a5b43f4f03d88d0fca8fb4531f49d1fecff582b7 (patch)
tree: 59c92f012966a40ee7087e8817726cadcb73d9ea /Source/JavaScriptCore/runtime
parent: 276fb8ee82394b8fe414196677ce6af4028c5652 (diff)
parent: d7fff220c897ab0eebcd6ca8087efd4b9477beb9 (diff)
download: qtwebkit-a5b43f4f03d88d0fca8fb4531f49d1fecff582b7.tar.gz
5 files changed, 26 insertions, 8 deletions
diff --git a/Source/JavaScriptCore/runtime/Executable.cpp b/Source/JavaScriptCore/runtime/Executable.cpp
index 746e281e3..ff4c2ff76 100644
--- a/Source/JavaScriptCore/runtime/Executable.cpp
+++ b/Source/JavaScriptCore/runtime/Executable.cpp
@@ -522,7 +522,7 @@ JSObject* FunctionExecutable::compileForCallInternal(ExecState* exec, JSScope* s
     UNUSED_PARAM(bytecodeIndex);
 #endif
     ASSERT((jitType == JITCode::bottomTierJIT()) == !m_codeBlockForCall);
-    JSObject* exception;
+    JSObject* exception = 0;
     OwnPtr<FunctionCodeBlock> newCodeBlock = produceCodeBlockFor(scope, CodeForCall, exception);
     if (!newCodeBlock)
         return exception;
@@ -558,7 +558,7 @@ JSObject* FunctionExecutable::compileForConstructInternal(ExecState* exec, JSSco
 #endif
     
     ASSERT((jitType == JITCode::bottomTierJIT()) == !m_codeBlockForConstruct);
-    JSObject* exception;
+    JSObject* exception = 0;
     OwnPtr<FunctionCodeBlock> newCodeBlock = produceCodeBlockFor(scope, CodeForConstruct, exception);
     if (!newCodeBlock)
         return exception;
diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
index 4ba5cc2bd..c742804f7 100644
--- a/Source/JavaScriptCore/runtime/JSArray.cpp
+++ b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -1347,7 +1347,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call
     
     // Iterate over the array, ignoring missing values, counting undefined ones, and inserting all other ones into the tree.
     for (; numDefined < usedVectorLength; ++numDefined) {
-        if (numDefined > m_butterfly->vectorLength())
+        if (numDefined >= m_butterfly->vectorLength())
             break;
         JSValue v = getHolyIndexQuickly(numDefined);
         if (!v || v.isUndefined())
@@ -1356,7 +1356,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call
         tree.insert(numDefined);
     }
     for (unsigned i = numDefined; i < usedVectorLength; ++i) {
-        if (i > m_butterfly->vectorLength())
+        if (i >= m_butterfly->vectorLength())
             break;
         JSValue v = getHolyIndexQuickly(i);
         if (v) {
@@ -1384,6 +1384,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call
     iter.start_iter_least(tree);
     JSGlobalData& globalData = exec->globalData();
     for (unsigned i = 0; i < elementsToExtractThreshold; ++i) {
+        ASSERT(i < butterfly()->vectorLength());
         if (structure()->indexingType() == ArrayWithDouble)
             butterfly()->contiguousDouble()[i] = tree.abstractor().m_nodes[*iter].value.asNumber();
         else
@@ -1398,12 +1399,15 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call
         break;
         
     default:
-        for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i)
+        for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i) {
+            ASSERT(i < butterfly()->vectorLength());
             currentIndexingData()[i].setUndefined();
+        }
     }
 
     // Ensure that unused values in the vector are zeroed out.
     for (unsigned i = undefinedElementsThreshold; i < clearElementsThreshold; ++i) {
+        ASSERT(i < butterfly()->vectorLength());
         if (structure()->indexingType() == ArrayWithDouble)
             butterfly()->contiguousDouble()[i] = QNaN;
         else
@@ -1533,6 +1537,7 @@ void JSArray::copyToArguments(ExecState* exec, CallFrame* callFrame, uint32_t le
         vector = 0;
         vectorEnd = 0;
         for (; i < m_butterfly->publicLength(); ++i) {
+            ASSERT(i < butterfly()->vectorLength());
             double v = m_butterfly->contiguousDouble()[i];
             if (v != v)
                 break;
@@ -1578,6 +1583,7 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt
     unsigned numUndefined = 0;
         
     for (; numDefined < myRelevantLength; ++numDefined) {
+        ASSERT(numDefined < m_butterfly->vectorLength());
         if (indexingType == ArrayWithInt32) {
             JSValue v = m_butterfly->contiguousInt32()[numDefined].get();
             if (!v)
@@ -1597,11 +1603,13 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt
     }
         
     for (unsigned i = numDefined; i < myRelevantLength; ++i) {
+        ASSERT(i < m_butterfly->vectorLength());
         if (indexingType == ArrayWithInt32) {
             JSValue v = m_butterfly->contiguousInt32()[i].get();
             if (!v)
                 continue;
             ASSERT(v.isInt32());
+            ASSERT(numDefined < m_butterfly->vectorLength());
             m_butterfly->contiguousInt32()[numDefined++].setWithoutWriteBarrier(v);
             continue;
         }
@@ -1609,6 +1617,7 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt
             double v = m_butterfly->contiguousDouble()[i];
             if (v != v)
                 continue;
+            ASSERT(numDefined < m_butterfly->vectorLength());
             m_butterfly->contiguousDouble()[numDefined++] = v;
             continue;
         }
@@ -1616,8 +1625,10 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt
         if (v) {
             if (v.isUndefined())
                 ++numUndefined;
-            else
+            else {
+                ASSERT(numDefined < m_butterfly->vectorLength());
                 indexingData<indexingType>()[numDefined++].setWithoutWriteBarrier(v);
+            }
         }
     }
         
@@ -1633,11 +1644,14 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt
         break;
         
     default:
-        for (unsigned i = numDefined; i < newRelevantLength; ++i)
+        for (unsigned i = numDefined; i < newRelevantLength; ++i) {
+            ASSERT(i < m_butterfly->vectorLength());
             indexingData<indexingType>()[i].setUndefined();
+        }
         break;
     }
     for (unsigned i = newRelevantLength; i < myRelevantLength; ++i) {
+        ASSERT(i < m_butterfly->vectorLength());
         if (indexingType == ArrayWithDouble)
             m_butterfly->contiguousDouble()[i] = QNaN;
         else
diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h
index ea1ed9047..cef3b53ad 100644
--- a/Source/JavaScriptCore/runtime/JSArray.h
+++ b/Source/JavaScriptCore/runtime/JSArray.h
@@ -245,6 +245,10 @@ inline JSArray* JSArray::tryCreateUninitialized(JSGlobalData& globalData, Struct
         butterfly = Butterfly::fromBase(temp, 0, 0);
         butterfly->setVectorLength(vectorLength);
         butterfly->setPublicLength(initialLength);
+        if (hasDouble(structure->indexingType())) {
+            for (unsigned i = initialLength; i < vectorLength; ++i)
+                butterfly->contiguousDouble()[i] = QNaN;
+        }
     } else {
         void* temp;
         if (!globalData.heap.tryAllocateStorage(Butterfly::totalSize(0, 0, true, ArrayStorage::sizeFor(vectorLength)), &temp))
diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h
index 957ba8227..428e51f3c 100644
--- a/Source/JavaScriptCore/runtime/JSObject.h
+++ b/Source/JavaScriptCore/runtime/JSObject.h
@@ -862,6 +862,7 @@ protected:
         
     JSValue getHolyIndexQuickly(unsigned i)
     {
+        ASSERT(i < m_butterfly->vectorLength());
         switch (structure()->indexingType()) {
         case ALL_INT32_INDEXING_TYPES:
         case ALL_CONTIGUOUS_INDEXING_TYPES:
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index 5ad30bde3..bf4a0cf75 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -117,7 +117,6 @@ namespace JSC {
     v(double, structureCheckVoteRatioForHoisting, 1) \
     \
     v(unsigned, minimumNumberOfScansBetweenRebalance, 100) \
-    v(unsigned, gcMarkStackSegmentSize, pageSize()) \
     v(unsigned, numberOfGCMarkers, computeNumberOfGCMarkers(7)) \
     v(unsigned, opaqueRootMergeThreshold, 1000) \
     v(double, minHeapUtilization, 0.8) \
author	Frederik Gladhorn <frederik.gladhorn@digia.com>	2013-05-23 13:14:13 +0200
committer	Frederik Gladhorn <frederik.gladhorn@digia.com>	2013-05-23 13:14:14 +0200
commit	a5b43f4f03d88d0fca8fb4531f49d1fecff582b7 (patch)
tree	59c92f012966a40ee7087e8817726cadcb73d9ea /Source/JavaScriptCore/runtime
parent	276fb8ee82394b8fe414196677ce6af4028c5652 (diff)
parent	d7fff220c897ab0eebcd6ca8087efd4b9477beb9 (diff)
download	qtwebkit-a5b43f4f03d88d0fca8fb4531f49d1fecff582b7.tar.gz