Context Navigation

← Previous Changeset
Next Changeset →

Changeset 214714 in webkit

Timestamp:

Apr 1, 2017 1:14:15 AM (7 years ago)

Author:

gskachkov@gmail.com

Message:

Object with numerical keys with gaps gets filled by NaN values
https://bugs.webkit.org/show_bug.cgi?id=164412

Reviewed by Mark Lam.

This patch fixes issue when object have two properties
with name as number. The issue appears when during invoking
convertDoubleToArrayStorage, array is filled by pNaN and
method converting it to real NaN. This happeneds because a
pNaN in a Double array is a hole, and Double arrays cannot
have NaN values. To fix issue we need to check value and
clear it if it pNaN.

Source/JavaScriptCore:

runtime/JSObject.cpp:

(JSC::JSObject::convertDoubleToArrayStorage):

JSTests:

stress/object-number-properties.js: Added.

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/object-number-properties.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r214642
+                      r214714
+-04-01  Oleksandr Skachkov  <gskachkov@gmail.com>
+        Object with numerical keys with gaps gets filled by NaN values
+        https://bugs.webkit.org/show_bug.cgi?id=164412
+        Reviewed by Merk Lam.
+        * stress/object-number-properties.js: Added.
+        (assert):
+        (boo):
 -03-30  Michael Saboff  <msaboff@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r214711
+                      r214714
+-04-01  Oleksandr Skachkov  <gskachkov@gmail.com>
+        Object with numerical keys with gaps gets filled by NaN values
+        https://bugs.webkit.org/show_bug.cgi?id=164412
+        Reviewed by Mark Lam.
+        This patch fixes issue when object have two properties
+        with name as number. The issue appears when during invoking
+        convertDoubleToArrayStorage, array is filled by pNaN and
+        method converting it to real NaN. This happeneds because a
+        pNaN in a Double array is a hole, and Double arrays cannot
+        have NaN values. To fix issue we need to check value and
+        clear it if it pNaN.
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertDoubleToArrayStorage):
 -03-31  Saam Barati  <sbarati@apple.com>

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

-                      r214135
+                      r214714
     for (unsigned i = 0; i < vectorLength; i++) {
         double value = butterfly->contiguousDouble()[i];
+        if (value != value) {
+            newStorage->m_vector[i].clear();
+            continue;
+        }
         newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
+        if (value == value)
+            newStorage->m_numValuesInVector++;
+        newStorage->m_numValuesInVector++;
+    }

Note: See TracChangeset for help on using the changeset viewer.