Changeset 214815 in webkit
- Timestamp:
- Apr 3, 2017 10:29:09 AM (7 years ago)
- Location:
- releases/WebKitGTK/webkit-2.16
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog
r214797 r214815 1 2017-04-01 Oleksandr Skachkov <gskachkov@gmail.com> 2 3 Object with numerical keys with gaps gets filled by NaN values 4 https://bugs.webkit.org/show_bug.cgi?id=164412 5 6 Reviewed by Merk Lam. 7 8 * stress/object-number-properties.js: Added. 9 (assert): 10 (boo): 11 1 12 2017-03-23 Yusuke Suzuki <utatane.tea@gmail.com> 2 13 -
releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog
r214814 r214815 1 2017-04-01 Oleksandr Skachkov <gskachkov@gmail.com> 2 3 Object with numerical keys with gaps gets filled by NaN values 4 https://bugs.webkit.org/show_bug.cgi?id=164412 5 6 Reviewed by Mark Lam. 7 8 This patch fixes issue when object have two properties 9 with name as number. The issue appears when during invoking 10 convertDoubleToArrayStorage, array is filled by pNaN and 11 method converting it to real NaN. This happeneds because a 12 pNaN in a Double array is a hole, and Double arrays cannot 13 have NaN values. To fix issue we need to check value and 14 clear it if it pNaN. 15 16 * runtime/JSObject.cpp: 17 (JSC::JSObject::convertDoubleToArrayStorage): 18 1 19 2017-03-31 Mark Lam <mark.lam@apple.com> 2 20 -
releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp
r213038 r214815 1289 1289 for (unsigned i = 0; i < vectorLength; i++) { 1290 1290 double value = butterfly->contiguousDouble()[i]; 1291 if (value != value) { 1292 newStorage->m_vector[i].clear(); 1293 continue; 1294 } 1291 1295 newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value)); 1292 if (value == value) 1293 newStorage->m_numValuesInVector++; 1296 newStorage->m_numValuesInVector++; 1294 1297 } 1295 1298
Note: See TracChangeset
for help on using the changeset viewer.