Context Navigation

← Previous Changeset
Next Changeset →

Changeset 41028 in webkit

Timestamp:

Feb 16, 2009 4:40:39 PM (15 years ago)

Author:

weinig@apple.com

Message:

JavaScriptCore:

2009-02-16 Sam Weinig <sam@webkit.org>

Reviewed by Geoffrey Garen.

Fix for <rdar://problem/6468156>
REGRESSION (r36779): Adding link, images, flash in TinyMCE blocks entire page (21382)

No performance regression.

runtime/Arguments.cpp: (JSC::Arguments::fillArgList): Add codepath for when the "length" property has been overridden.

LayoutTests:

2009-02-16 Sam Weinig <sam@webkit.org>

Reviewed by Geoffrey Garen.

Add tests for <rdar://problem/6468156>
REGRESSION (r36779): Adding link, images, flash in TinyMCE blocks entire page (21382)

fast/js/function-apply-expected.txt:
fast/js/resources/function-apply.js: Add cases covering setting arugments.length and Array.length explicitly or implicitly using Array.prototype.unshift.

Location:

trunk

Files:

: 5 edited

JavaScriptCore/ChangeLog (modified) (1 diff)
JavaScriptCore/runtime/Arguments.cpp (modified) (1 diff)
LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/js/function-apply-expected.txt (modified) (1 diff)
LayoutTests/fast/js/resources/function-apply.js (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/ChangeLog

-                      r41023
+                      r41028
+-02-16  Sam Weinig  <sam@webkit.org>
+        Reviewed by Geoffrey Garen.
+        Fix for <rdar://problem/6468156>
+        REGRESSION (r36779): Adding link, images, flash in TinyMCE blocks entire page (21382)
+        No performance regression.
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::fillArgList): Add codepath for when the "length" property has been
+        overridden.
 -02-16  Mark Rowe  <mrowe@apple.com>

trunk/JavaScriptCore/runtime/Arguments.cpp

-                      r39670
+                      r41028
 void Arguments::fillArgList(ExecState* exec, ArgList& args)
+{
+    if (UNLIKELY(d->overrodeLength)) {
+        unsigned length = get(exec, exec->propertyNames().length).toUInt32(exec);
+        for (unsigned i = 0; i < length; i++)
+            args.append(get(exec, i));
+        return;
+   }
     if (LIKELY(!d->deletedArguments)) {
         if (LIKELY(!d->numParameters)) {

trunk/LayoutTests/ChangeLog

-                      r41027
+                      r41028
+-02-16  Sam Weinig  <sam@webkit.org>
+        Reviewed by Geoffrey Garen.
+        Add tests for <rdar://problem/6468156>
+        REGRESSION (r36779): Adding link, images, flash in TinyMCE blocks entire page (21382)
+        * fast/js/function-apply-expected.txt:
+        * fast/js/resources/function-apply.js: Add cases covering setting arugments.length and
+        Array.length explicitly or implicitly using Array.prototype.unshift.
 -02-16  Dan Bernstein  <mitz@apple.com>

trunk/LayoutTests/fast/js/function-apply-expected.txt

-                      r36779
+                      r41028
 PASS arrayApplyDelete3([1, 2, 3]) is 3
 PASS arrayApplyDeleteLength([1, 2, 3]) is 3
+PASS argumentsApplyChangeLength1(1) is 2
+PASS argumentsApplyChangeLength2(1) is 2
+PASS argumentsApplyChangeLength3(1) is 2
+PASS argumentsApplyChangeLength4(1) is 0
+PASS argumentsApplyChangeLength5(1) is 0
+PASS arrayApplyChangeLength1() is 2
+PASS arrayApplyChangeLength2() is 2
+PASS arrayApplyChangeLength3() is 2
+PASS arrayApplyChangeLength4() is 0
 PASS successfullyParsed is true

trunk/LayoutTests/fast/js/resources/function-apply.js

-                      r36779
+                      r41028
 shouldBe("arrayApplyDeleteLength([1, 2, 3])", "3");
+function argumentsApplyChangeLength1()
+{
+    function f() {
+        return arguments.length;
+    };
+    arguments.length = 2;
+    return f.apply(null, arguments);
+}
+function argumentsApplyChangeLength2()
+{
+    function f(a) {
+        return arguments.length;
+    };
+    arguments.length = 2;
+    return f.apply(null, arguments);
+}
+function argumentsApplyChangeLength3()
+{
+    function f(a, b, c) {
+        return arguments.length;
+    };
+    arguments.length = 2;
+    return f.apply(null, arguments);
+};
+function argumentsApplyChangeLength4()
+{
+    function f() {
+        return arguments.length;
+    };
+    arguments.length = 0;
+    return f.apply(null, arguments);
+};
+function argumentsApplyChangeLength5()
+{
+    function f() {
+        return arguments.length;
+    };
+    arguments.length = "Not A Number";
+    return f.apply(null, arguments);
+}
+shouldBe("argumentsApplyChangeLength1(1)", "2");
+shouldBe("argumentsApplyChangeLength2(1)", "2");
+shouldBe("argumentsApplyChangeLength3(1)", "2");
+shouldBe("argumentsApplyChangeLength4(1)", "0");
+shouldBe("argumentsApplyChangeLength5(1)", "0");
+function arrayApplyChangeLength1()
+{
+    function f() {
+        return arguments.length;
+    };
+    var array = [];
+    array.length = 2;
+    return f.apply(null, array);
+}
+function arrayApplyChangeLength2()
+{
+    function f(a) {
+        return arguments.length;
+    };
+    var array = [];
+    array.length = 2;
+    return f.apply(null, array);
+}
+function arrayApplyChangeLength3()
+{
+    function f(a, b, c) {
+        return arguments.length;
+    };
+    var array = [];
+    array.length = 2;
+    return f.apply(null, array);
+}
+function arrayApplyChangeLength4()
+{
+    function f() {
+        return arguments.length;
+    };
+    var array = [1];
+    array.length = 0;
+    return f.apply(null, array);
+};
+shouldBe("arrayApplyChangeLength1()", "2");
+shouldBe("arrayApplyChangeLength2()", "2");
+shouldBe("arrayApplyChangeLength3()", "2");
+shouldBe("arrayApplyChangeLength4()", "0");
 var successfullyParsed = true;

Note: See TracChangeset for help on using the changeset viewer.