Reviewed by Sam.
- fix http://bugs.webkit.org/show_bug.cgi?id=15927
REGRESSION(r27487): delete a.c followed by __defineGetter__("c", ...) incorrectly deletes another property
and <rdar://problem/
5586384> REGRESSION (r27487): Can't switch out of Edit HTML Source mode on Leopard Wiki
Test: fast/js/delete-then-put.html
* kjs/property_map.cpp:
(KJS::PropertyMap::put): Added a missing "- 1"; code to find an empty slot was not working.
(KJS::PropertyMap::checkConsistency): Added a missing range check that would have caught this
problem before.
- roll out a last-minute change to my evaluateToBoolean patch that was incorrect.
* kjs/nodes.h: (KJS::ExprStatementNode::ExprStatementNode): Take out call to
optimizeForUnnecessaryResult, since the result is used in some cases.
LayoutTests:
Reviewed by Sam.
- test for http://bugs.webkit.org/show_bug.cgi?id=15927
delete a.c followed by __defineGetter__("c", ...) incorrectly deletes another property
* fast/js/delete-then-put-expected.txt: Added.
* fast/js/delete-then-put.html: Added.
* fast/js/resources/delete-then-put.js: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27678
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-11-10 Darin Adler <darin@apple.com>
+
+ Reviewed by Sam.
+
+ - fix http://bugs.webkit.org/show_bug.cgi?id=15927
+ REGRESSION(r27487): delete a.c followed by __defineGetter__("c", ...) incorrectly deletes another property
+ and <rdar://problem/5586384> REGRESSION (r27487): Can't switch out of Edit HTML Source mode on Leopard Wiki
+
+ Test: fast/js/delete-then-put.html
+
+ * kjs/property_map.cpp:
+ (KJS::PropertyMap::put): Added a missing "- 1"; code to find an empty slot was not working.
+ (KJS::PropertyMap::checkConsistency): Added a missing range check that would have caught this
+ problem before.
+
+ - roll out a last-minute change to my evaluateToBoolean patch that was incorrect.
+
+ * kjs/nodes.h: (KJS::ExprStatementNode::ExprStatementNode): Take out call to
+ optimizeForUnnecessaryResult, since the result is used in some cases.
+
2007-11-10 Adam Roben <aroben@apple.com>
Windows build fix
class ExprStatementNode : public StatementNode {
public:
- ExprStatementNode(ExpressionNode* e) KJS_FAST_CALL : expr(e)
- {
- e->optimizeForUnnecessaryResult();
- }
+ ExprStatementNode(ExpressionNode* e) KJS_FAST_CALL : expr(e) { }
virtual void optimizeVariableAccess(FunctionBodyNode*, DeclarationStacks::NodeStack&) KJS_FAST_CALL;
virtual Completion execute(ExecState*) KJS_FAST_CALL;
virtual void streamTo(SourceStream&) const KJS_FAST_CALL;
// the end that we were planning on using, so search backwards for the empty
// slot that we can use. We know it will be there because we did at least one
// deletion in the past that left an entry empty.
- while (m_u.table->entries()[--entryIndex].key)
+ while (m_u.table->entries()[--entryIndex - 1].key)
;
}
++deletedIndexCount;
continue;
}
+ ASSERT(entryIndex > deletedSentinelIndex);
+ ASSERT(entryIndex - 1 <= m_u.table->keyCount + m_u.table->deletedSentinelCount);
++indexCount;
for (unsigned b = a + 1; b != m_u.table->size; ++b)
ASSERT(m_u.table->entryIndicies[b] != entryIndex);
-
}
ASSERT(indexCount == m_u.table->keyCount);
ASSERT(deletedIndexCount == m_u.table->deletedSentinelCount);
ASSERT(m_u.table->entries()[0].key == 0);
- unsigned entryCount = m_u.table->keyCount + m_u.table->deletedSentinelCount;
unsigned nonEmptyEntryCount = 0;
- for (unsigned c = 1; c <= entryCount; ++c) {
+ for (unsigned c = 1; c <= m_u.table->keyCount + m_u.table->deletedSentinelCount; ++c) {
UString::Rep* rep = m_u.table->entries()[c].key;
if (!rep) {
ASSERT(m_u.table->entries()[c].value->isUndefined());
+2007-11-10 Darin Adler <darin@apple.com>
+
+ Reviewed by Sam.
+
+ - test for http://bugs.webkit.org/show_bug.cgi?id=15927
+ delete a.c followed by __defineGetter__("c", ...) incorrectly deletes another property
+
+ * fast/js/delete-then-put-expected.txt: Added.
+ * fast/js/delete-then-put.html: Added.
+ * fast/js/resources/delete-then-put.js: Added.
+
2007-11-10 Sam Weinig <sam@webkit.org>
Reviewed by Tim Hatcher.
--- /dev/null
+This tests for a problem with put after delete that existed at one point in the past.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS props(a) is 'a,b,c,d,e'
+delete a.c
+PASS props(a) is 'a,b,d,e'
+define getter named c
+PASS props(a) is 'a,b,d,e,c'
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/delete-then-put.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--- /dev/null
+description(
+'This tests for a problem with put after delete that existed at one point in the past.'
+);
+
+function props(o)
+{
+ var s = "";
+ for (p in o) {
+ if (s.length != 0)
+ s += ",";
+ s += p;
+ }
+ return s;
+}
+
+var a = { a:1, b:2, c:3, d:4, e:5 }
+
+shouldBe("props(a)", "'a,b,c,d,e'");
+debug("delete a.c");
+delete a.c;
+shouldBe("props(a)", "'a,b,d,e'");
+debug("define getter named c");
+a.__defineGetter__("c", function() { return 3 });
+shouldBe("props(a)", "'a,b,d,e,c'");
+debug("");
+
+var successfullyParsed = true;