Changeset 91290 in webkit

Timestamp:

Jul 19, 2011 1:03:13 PM (13 years ago)

Author:

barraclough@apple.com

Message:

Source/JavaScriptCore: [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
​https://bugs.webkit.org/show_bug.cgi?id=63918

Patch by Mark Hahnenberg <​mhahnenberg@apple.com> on 2011-07-19
Reviewed by Darin Adler.

When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
method due to additional string copying within several of the constructors when dealing with
UStrings. This has been added to the UString version of the appendStringInConstruct method
within the JSString class.

• runtime/JSString.h:

(JSC::RopeBuilder::JSString):
(JSC::RopeBuilder::appendStringInConstruct):

LayoutTests: Chromium rebaselines r91269 and r91277.

Patch by Ryosuke Niwa <​rniwa@webkit.org> on 2011-07-19

• platform/chromium-linux/svg/W3C-SVG-1.1-SE/styling-pres-02-f-expected.png: Added.
• platform/chromium-mac/fast/table/align-right-within-left-aligned-div-expected.png: Added.
• platform/chromium-mac/fast/table/align-right-within-left-aligned-div-expected.txt: Added.
• platform/chromium-mac/svg/W3C-SVG-1.1-SE/styling-pres-02-f-expected.png: Added.
• platform/chromium-win/svg/W3C-SVG-1.1-SE/styling-pres-02-f-expected.png: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/array-prototype-properties-expected.txt (added)
• LayoutTests/fast/js/array-prototype-properties.html (added)
• LayoutTests/fast/js/script-tests/array-prototype-properties.js (added)
• LayoutTests/ietestcenter/Javascript/15.4.4.14-5-28-expected.txt (modified) (1 diff)
• LayoutTests/ietestcenter/Javascript/15.4.4.15-5-28-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (19 diffs)

trunk/LayoutTests/ChangeLog

@@ -29 +29 @@
         * fast/dynamic/hover-before-position-after-style-change-expected.txt: Added.
         * fast/dynamic/hover-before-position-after-style-change.html: Added.
+
+2011-07-19  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64679
+        Fix bugs in Array.prototype this handling.
+
+        Reviewed by Oliver Hunt.
+
+        * fast/js/array-prototype-properties-expected.txt: Added.
+        * fast/js/array-prototype-properties.html: Added.
+        * fast/js/script-tests/array-prototype-properties.js: Added.
+            - Added layout test for array prototype functions with undefined as this value.
+        * ietestcenter/Javascript/15.4.4.14-5-28-expected.txt:
+        * ietestcenter/Javascript/15.4.4.15-5-28-expected.txt:
+            - These tests now pass.
 
 2011-07-19  Gavin Barraclough  <barraclough@apple.com>

trunk/LayoutTests/ietestcenter/Javascript/15.4.4.14-5-28-expected.txt

@@ -5 +5 @@
 
 PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
 PASS successfullyParsed is true
 

trunk/LayoutTests/ietestcenter/Javascript/15.4.4.15-5-28-expected.txt

@@ -5 +5 @@
 
 PASS ES5Harness.preconditionPassed is true
-FAIL ES5Harness.testPassed should be true. Was false.
+PASS ES5Harness.testPassed is true
 PASS successfullyParsed is true
 

trunk/Source/JavaScriptCore/ChangeLog

@@ -14 +14 @@
         (JSC::RopeBuilder::JSString):
         (JSC::RopeBuilder::appendStringInConstruct):
+
+2011-07-19  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64679
+        Fix bugs in Array.prototype this handling.
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncJoin):
+        (JSC::arrayProtoFuncConcat):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSort):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        (JSC::arrayProtoFuncFilter):
+        (JSC::arrayProtoFuncMap):
+        (JSC::arrayProtoFuncEvery):
+        (JSC::arrayProtoFuncForEach):
+        (JSC::arrayProtoFuncSome):
+        (JSC::arrayProtoFuncReduce):
+        (JSC::arrayProtoFuncReduceRight):
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+            - These methods should throw if this value is undefined.
 
 2011-07-19  Gavin Barraclough  <barraclough@apple.com>

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -268 +268 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -338 +338 @@
     JSArray* arr = constructEmptyArray(exec);
     unsigned n = 0;
-    JSValue curArg = thisValue.toThisObject(exec);
+    JSValue curArg = thisValue.toObject(exec);
+    if (exec->hadException())
+        return JSValue::encode(jsUndefined());
     size_t i = 0;
     size_t argCount = exec->argumentCount();
@@ -370 +372 @@
         return JSValue::encode(asArray(thisValue)->pop());
 
-    JSObject* thisObj = thisValue.toThisObject(exec);
+    JSObject* thisObj = thisValue.toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -397 +399 @@
     }
 
-    JSObject* thisObj = thisValue.toThisObject(exec);
+    JSObject* thisObj = thisValue.toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -419 +421 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncReverse(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -445 +447 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncShift(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
+    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
+    if (exec->hadException())
+        return JSValue::encode(jsUndefined());
+
     JSValue result;
-
-    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
-    if (exec->hadException())
-        return JSValue::encode(jsUndefined());
-
     if (length == 0) {
         putProperty(exec, thisObj, exec->propertyNames().length, jsNumber(length));
@@ -476 +477 @@
 {
     // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
+    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
+    if (exec->hadException())
+        return JSValue::encode(jsUndefined());
 
     // We return a new array
     JSArray* resObj = constructEmptyArray(exec);
     JSValue result = resObj;
-
-    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
-    if (exec->hadException())
-        return JSValue::encode(jsUndefined());
 
     unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
@@ -500 +500 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncSort(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (!length || exec->hadException())
@@ -562 +562 @@
     // 15.4.4.12
 
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -630 +630 @@
     // 15.4.4.13
 
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -657 +657 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncFilter(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -716 +716 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncMap(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -778 +778 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -836 +836 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncForEach(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -886 +886 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -943 +943 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduce(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -1018 +1018 @@
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncReduceRight(ExecState* exec)
 {
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -1093 +1093 @@
 {
     // 15.4.4.14
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (exec->hadException())
@@ -1114 +1114 @@
 {
     // 15.4.4.15
-    JSObject* thisObj = exec->hostThisValue().toThisObject(exec);
+    JSObject* thisObj = exec->hostThisValue().toObject(exec);
     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     if (!length)