Changeset 56425 in webkit for trunk/JavaScriptCore/runtime


Ignore:
Timestamp:
Mar 23, 2010, 4:12:10 PM (15 years ago)
Author:
[email protected]
Message:

Reviewed by Geoff Garen.

https://bugs.webkit.org/show_bug.cgi?id=36511
<rdar://problem/7753498> Safari freezes when using SPUTNIK JavaScript conformance check

Test: fast/js/sputnik-S15.4.4.12_A3_T3.html

  • runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSplice): We were incorrectly computing the start offset, and iterated over (almost) all integers. Note that this can be fixed without using doubles, but the code would be much more complicated, and there is no important reason to stick to integers here.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/runtime/ArrayPrototype.cpp

    r55833 r56425  
    507507    JSArray* resObj = constructEmptyArray(exec);
    508508    JSValue result = resObj;
    509     unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
     509
     510    // FIXME: Firefox returns an empty array.
    510511    if (!args.size())
    511512        return jsUndefined();
    512     int begin = args.at(0).toUInt32(exec);
    513     if (begin < 0)
    514         begin = std::max<int>(begin + length, 0);
    515     else
    516         begin = std::min<int>(begin, length);
     513
     514    unsigned length = thisObj->get(exec, exec->propertyNames().length).toInteger(exec);
     515    double relativeBegin = args.at(0).toInteger(exec);
     516    unsigned begin;
     517    if (relativeBegin < 0) {
     518        relativeBegin += length;
     519        begin = (relativeBegin < 0) ? 0 : static_cast<unsigned>(relativeBegin);
     520    } else
     521        begin = std::min<unsigned>(relativeBegin, length);
    517522
    518523    unsigned deleteCount;
     
    540545                thisObj->deleteProperty(exec, k - 1);
    541546        } else {
    542             for (unsigned k = length - deleteCount; (int)k > begin; --k) {
     547            for (unsigned k = length - deleteCount; k > begin; --k) {
    543548                if (JSValue obj = getProperty(exec, thisObj, k + deleteCount - 1))
    544549                    thisObj->put(exec, k + additionalArgs - 1, obj);
Note: See TracChangeset for help on using the changeset viewer.