JavaScriptCore:
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Dec 2007 15:46:14 +0000 (15:46 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Dec 2007 15:46:14 +0000 (15:46 +0000)
        Reviewed by Mitz.

        - fix http://bugs.webkit.org/show_bug.cgi?id=15848
          <rdar://problem/5619330> REGRESSION: Assertion failure viewing comments page on digg.com

        Test: fast/js/sparse-array.html

        * kjs/array_instance.cpp:
        (KJS::ArrayInstance::inlineGetOwnPropertySlot): Check sparse array cutoff before looking
        in hash map. Can't avoid the branch because we can't look for 0 in the hash.
        (KJS::ArrayInstance::deleteProperty): Ditto.

LayoutTests:

        Reviewed by Mitz.

        - test for http://bugs.webkit.org/show_bug.cgi?id=15848
          <rdar://problem/5619330> REGRESSION: Assertion failure viewing comments page on digg.com

        * fast/js/resources/sparse-array.js: Added.
        * fast/js/sparse-array-expected.txt: Added.
        * fast/js/sparse-array.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28346 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/kjs/array_instance.cpp
LayoutTests/ChangeLog
LayoutTests/fast/js/resources/sparse-array.js [new file with mode: 0644]
LayoutTests/fast/js/sparse-array-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/sparse-array.html [new file with mode: 0644]

index c5dc6bd09d356fdd5cb6680fab5983e8dd64c2c5..a4a708318aed10964bc10e9d2664a33c173cf2b7 100644 (file)
@@ -1,3 +1,17 @@
+2007-12-02  Darin Adler  <darin@apple.com>
+
+        Reviewed by Mitz.
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=15848
+          <rdar://problem/5619330> REGRESSION: Assertion failure viewing comments page on digg.com
+
+        Test: fast/js/sparse-array.html
+
+        * kjs/array_instance.cpp:
+        (KJS::ArrayInstance::inlineGetOwnPropertySlot): Check sparse array cutoff before looking
+        in hash map. Can't avoid the branch because we can't look for 0 in the hash.
+        (KJS::ArrayInstance::deleteProperty): Ditto.
+
 2007-12-02  Geoffrey Garen  <ggaren@apple.com>
 
         Build fix: added an #include.
index 282513232920408b4395f99688fd6ee7a465ad55..dc8b58ff21aea8c66512b6ca6cd3794d6cd27243 100644 (file)
@@ -151,10 +151,12 @@ ALWAYS_INLINE bool ArrayInstance::inlineGetOwnPropertySlot(ExecState* exec, unsi
             return true;
         }
     } else if (SparseArrayValueMap* map = storage->m_sparseValueMap) {
-        SparseArrayValueMap::iterator it = map->find(i);
-        if (it != map->end()) {
-            slot.setValueSlot(this, &it->second);
-            return true;
+        if (i >= sparseArrayCutoff) {
+            SparseArrayValueMap::iterator it = map->find(i);
+            if (it != map->end()) {
+                slot.setValueSlot(this, &it->second);
+                return true;
+            }
         }
     }
 
@@ -318,10 +320,12 @@ bool ArrayInstance::deleteProperty(ExecState* exec, unsigned i)
     }
 
     if (SparseArrayValueMap* map = storage->m_sparseValueMap) {
-        SparseArrayValueMap::iterator it = map->find(i);
-        if (it != map->end()) {
-            map->remove(it);
-            return true;
+        if (i >= sparseArrayCutoff) {
+            SparseArrayValueMap::iterator it = map->find(i);
+            if (it != map->end()) {
+                map->remove(it);
+                return true;
+            }
         }
     }
 
index 602a76d42a02ece14c5cf2069b1a2dec9b636f07..8a31051782d097d8cb19edf9696a1c546c831583 100644 (file)
@@ -1,3 +1,14 @@
+2007-12-02  Darin Adler  <darin@apple.com>
+
+        Reviewed by Mitz.
+
+        - test for http://bugs.webkit.org/show_bug.cgi?id=15848
+          <rdar://problem/5619330> REGRESSION: Assertion failure viewing comments page on digg.com
+
+        * fast/js/resources/sparse-array.js: Added.
+        * fast/js/sparse-array-expected.txt: Added.
+        * fast/js/sparse-array.html: Added.
+
 2007-12-02  Darin Adler  <darin@apple.com>
 
         Reviewed by Mitz.
diff --git a/LayoutTests/fast/js/resources/sparse-array.js b/LayoutTests/fast/js/resources/sparse-array.js
new file mode 100644 (file)
index 0000000..4cc07d2
--- /dev/null
@@ -0,0 +1,21 @@
+description(
+'This tests some sparse array operations.'
+);
+
+var array = [ ];
+
+array[50000] = 100;
+
+shouldBe('array[0]', 'undefined');
+shouldBe('array[49999]', 'undefined');
+shouldBe('array[50000]', '100');
+shouldBe('array[50001]', 'undefined');
+array[0]++;
+shouldBe('array[0]', 'NaN');
+shouldBe('array[49999]', 'undefined');
+shouldBe('array[50000]', '100');
+shouldBe('array[50001]', 'undefined');
+
+debug('');
+
+successfullyParsed = true;
diff --git a/LayoutTests/fast/js/sparse-array-expected.txt b/LayoutTests/fast/js/sparse-array-expected.txt
new file mode 100644 (file)
index 0000000..e6a24aa
--- /dev/null
@@ -0,0 +1,18 @@
+This tests some sparse array operations.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS array[0] is undefined
+PASS array[49999] is undefined
+PASS array[50000] is 100
+PASS array[50001] is undefined
+PASS array[0] is NaN
+PASS array[49999] is undefined
+PASS array[50000] is 100
+PASS array[50001] is undefined
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/sparse-array.html b/LayoutTests/fast/js/sparse-array.html
new file mode 100644 (file)
index 0000000..12ef5da
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/sparse-array.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>