2007-04-19 Mark Rowe <mrowe@apple.com>
authorbdash <bdash@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Apr 2007 14:02:25 +0000 (14:02 +0000)
committerbdash <bdash@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Apr 2007 14:02:25 +0000 (14:02 +0000)
        Reviewed by Darin.

        Fix http://bugs.webkit.org/show_bug.cgi?id=13401
        Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
        a sort comparison function

        * kjs/array_object.cpp:
        (ArrayInstance::sort): Save/restore the static variables around calls to qsort
        to ensure nested calls to ArrayInstance::sort behave correctly.

2007-04-19  Mark Rowe  <mrowe@apple.com>

        Reviewed by Darin.

        Test for http://bugs.webkit.org/show_bug.cgi?id=13401
        Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
        a sort comparison function

        * fast/js/array-sort-reentrance-expected.txt: Added.
        * fast/js/array-sort-reentrance.html: Added.
        * fast/js/resources/array-sort-reentrance.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@20949 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/kjs/array_object.cpp
LayoutTests/ChangeLog
LayoutTests/fast/js/array-sort-reentrance-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/array-sort-reentrance.html [new file with mode: 0644]
LayoutTests/fast/js/resources/array-sort-reentrance.js [new file with mode: 0644]

index 4d55a72..b1a01a5 100644 (file)
@@ -1,3 +1,15 @@
+2007-04-19  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Darin.
+
+        Fix http://bugs.webkit.org/show_bug.cgi?id=13401
+        Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
+        a sort comparison function
+
+        * kjs/array_object.cpp:
+        (ArrayInstance::sort): Save/restore the static variables around calls to qsort
+        to ensure nested calls to ArrayInstance::sort behave correctly.
+
 2007-04-12  Deneb Meketa  <dmeketa@adobe.com>
 
         Reviewed by Darin Adler.
index 5b65f8e..2d32547 100644 (file)
@@ -284,7 +284,7 @@ void ArrayInstance::mark()
   }
 }
 
-static ExecState *execForCompareByStringForQSort;
+static ExecState* execForCompareByStringForQSort = 0;
 
 static int compareByStringForQSort(const void *a, const void *b)
 {
@@ -300,13 +300,14 @@ static int compareByStringForQSort(const void *a, const void *b)
     return compare(va->toString(exec), vb->toString(exec));
 }
 
-void ArrayInstance::sort(ExecState *exec)
+void ArrayInstance::sort(ExecStateexec)
 {
     int lengthNotIncludingUndefined = pushUndefinedObjectsToEnd(exec);
-    
+
+    ExecState* oldExec = execForCompareByStringForQSort;
     execForCompareByStringForQSort = exec;
-    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue *), compareByStringForQSort);
-    execForCompareByStringForQSort = 0;
+    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue*), compareByStringForQSort);
+    execForCompareByStringForQSort = oldExec;
 }
 
 struct CompareWithCompareFunctionArguments {
@@ -325,7 +326,7 @@ struct CompareWithCompareFunctionArguments {
     JSObject *globalObject;
 };
 
-static CompareWithCompareFunctionArguments *compareWithCompareFunctionArguments;
+static CompareWithCompareFunctionArguments* compareWithCompareFunctionArguments = 0;
 
 static int compareWithCompareFunctionForQSort(const void *a, const void *b)
 {
@@ -348,14 +349,15 @@ static int compareWithCompareFunctionForQSort(const void *a, const void *b)
     return compareResult < 0 ? -1 : compareResult > 0 ? 1 : 0;
 }
 
-void ArrayInstance::sort(ExecState *exec, JSObject *compareFunction)
+void ArrayInstance::sort(ExecState* exec, JSObject* compareFunction)
 {
     int lengthNotIncludingUndefined = pushUndefinedObjectsToEnd(exec);
-    
+
+    CompareWithCompareFunctionArguments* oldArgs = compareWithCompareFunctionArguments;
     CompareWithCompareFunctionArguments args(exec, compareFunction);
     compareWithCompareFunctionArguments = &args;
-    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue *), compareWithCompareFunctionForQSort);
-    compareWithCompareFunctionArguments = 0;
+    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue*), compareWithCompareFunctionForQSort);
+    compareWithCompareFunctionArguments = oldArgs;
 }
 
 unsigned ArrayInstance::pushUndefinedObjectsToEnd(ExecState *exec)
index ffc38d9..2766cd5 100644 (file)
@@ -1,3 +1,15 @@
+2007-04-19  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Darin.
+
+        Test for http://bugs.webkit.org/show_bug.cgi?id=13401
+        Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
+        a sort comparison function
+
+        * fast/js/array-sort-reentrance-expected.txt: Added.
+        * fast/js/array-sort-reentrance.html: Added.
+        * fast/js/resources/array-sort-reentrance.js: Added.
+
 2007-04-19  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Darin.
diff --git a/LayoutTests/fast/js/array-sort-reentrance-expected.txt b/LayoutTests/fast/js/array-sort-reentrance-expected.txt
new file mode 100644 (file)
index 0000000..6941d92
--- /dev/null
@@ -0,0 +1,9 @@
+This tests that a call to array.sort(compareFunction) does not crash from within a sort comparison function.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/array-sort-reentrance.html b/LayoutTests/fast/js/array-sort-reentrance.html
new file mode 100644 (file)
index 0000000..c3c0e98
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/array-sort-reentrance.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/resources/array-sort-reentrance.js b/LayoutTests/fast/js/resources/array-sort-reentrance.js
new file mode 100644 (file)
index 0000000..621098e
--- /dev/null
@@ -0,0 +1,19 @@
+description(
+"This tests that a call to array.sort(compareFunction) does not crash from within a sort comparison function."
+);
+
+var numbers1 = [1, 2, 3, 4, 5, 6, 7];
+var numbers2 = numbers1.slice();
+
+function compareFn1(a, b) {
+    return b - a;
+}
+
+function compareFn2(a, b) {
+    numbers1.sort(compareFn1);
+    return b - a;
+}
+
+numbers2.sort(compareFn2);
+
+var successfullyParsed = true;