Changeset 20949 in webkit for trunk/JavaScriptCore

Timestamp:

Apr 19, 2007, 7:02:25 AM (18 years ago)

Author:

bdash

Message:

2007-04-19 Mark Rowe <​[email protected]>

Reviewed by Darin.

Fix ​http://bugs.webkit.org/show_bug.cgi?id=13401
Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
a sort comparison function

• kjs/array_object.cpp: (ArrayInstance::sort): Save/restore the static variables around calls to qsort to ensure nested calls to ArrayInstance::sort behave correctly.

2007-04-19 Mark Rowe <​[email protected]>

Reviewed by Darin.

Test for ​http://bugs.webkit.org/show_bug.cgi?id=13401
Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
a sort comparison function

• fast/js/array-sort-reentrance-expected.txt: Added.
• fast/js/array-sort-reentrance.html: Added.
• fast/js/resources/array-sort-reentrance.js: Added.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• kjs/array_object.cpp (modified) (4 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-04-19  Mark Rowe  <[email protected]>
+
+        Reviewed by Darin.
+
+        Fix http://bugs.webkit.org/show_bug.cgi?id=13401
+        Bug 13401: Reproducible crash calling myArray.sort(compareFn) from within
+        a sort comparison function
+
+        * kjs/array_object.cpp:
+        (ArrayInstance::sort): Save/restore the static variables around calls to qsort
+        to ensure nested calls to ArrayInstance::sort behave correctly.
+
 2007-04-12  Deneb Meketa  <[email protected]>
 

trunk/JavaScriptCore/kjs/array_object.cpp

@@ -285 +285 @@
 }
 
-static ExecState *execForCompareByStringForQSort;
+static ExecState* execForCompareByStringForQSort = 0;
 
 static int compareByStringForQSort(const void *a, const void *b)
@@ -301 +301 @@
 }
 
-void ArrayInstance::sort(ExecState *exec)
+void ArrayInstance::sort(ExecState* exec)
 {
     int lengthNotIncludingUndefined = pushUndefinedObjectsToEnd(exec);
-    
+
+    ExecState* oldExec = execForCompareByStringForQSort;
     execForCompareByStringForQSort = exec;
-    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue *), compareByStringForQSort);
-    execForCompareByStringForQSort = 0;
+    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue*), compareByStringForQSort);
+    execForCompareByStringForQSort = oldExec;
 }
 
@@ -326 +327 @@
 };
 
-static CompareWithCompareFunctionArguments *compareWithCompareFunctionArguments;
+static CompareWithCompareFunctionArguments* compareWithCompareFunctionArguments = 0;
 
 static int compareWithCompareFunctionForQSort(const void *a, const void *b)
@@ -349 +350 @@
 }
 
-void ArrayInstance::sort(ExecState *exec, JSObject *compareFunction)
+void ArrayInstance::sort(ExecState* exec, JSObject* compareFunction)
 {
     int lengthNotIncludingUndefined = pushUndefinedObjectsToEnd(exec);
-    
+
+    CompareWithCompareFunctionArguments* oldArgs = compareWithCompareFunctionArguments;
     CompareWithCompareFunctionArguments args(exec, compareFunction);
     compareWithCompareFunctionArguments = &args;
-    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue *), compareWithCompareFunctionForQSort);
-    compareWithCompareFunctionArguments = 0;
+    qsort(storage, lengthNotIncludingUndefined, sizeof(JSValue*), compareWithCompareFunctionForQSort);
+    compareWithCompareFunctionArguments = oldArgs;
 }