7601.6.13

apple-opensource · apple-opensource · commit f8c4ae869b5c · 2016-11-06T20:59:56.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,30 @@
+2016-03-24  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r198592. rdar://problem/25332806
+
+    2016-03-23  Michael Saboff  <msaboff@apple.com>
+
+            JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls
+            https://bugs.webkit.org/show_bug.cgi?id=155776
+
+            Reviewed by Saam Barati.
+
+            Array.join ends up calling toString, possibly on some object.  Since these calls
+            could be effectful and could change the array itself, we can't hold the butterfly
+            pointer while making effectful calls.  Changed the code to fall back to the general
+            case when an effectful toString() call might be made.
+
+            * runtime/ArrayPrototype.cpp:
+            (JSC::join):
+            * runtime/JSStringJoiner.h:
+            (JSC::JSStringJoiner::appendWithoutSideEffects): New helper that doesn't make effectful
+            toString() calls.
+            (JSC::JSStringJoiner::append): Built upon appendWithoutSideEffects.
+
+2016-02-26  Babak Shafiei  <bshafiei@apple.com>
+
+        Merge patch for rdar://problem/24826901.
+
 2016-02-12  Babak Shafiei  <bshafiei@apple.com>
 
         Merge patch for rdar://problem/24626412.
diff --git a/Configurations/FeatureDefines.xcconfig b/Configurations/FeatureDefines.xcconfig
@@ -123,8 +123,11 @@ ENABLE_IOS_GESTURE_EVENTS[sdk=iphone*] = $(ENABLE_IOS_GESTURE_EVENTS_ios_WITH_IN
 ENABLE_IOS_GESTURE_EVENTS_ios_WITH_INTERNAL_SDK_YES = ENABLE_IOS_GESTURE_EVENTS;
 
 ENABLE_MAC_GESTURE_EVENTS = ;
-ENABLE_MAC_GESTURE_EVENTS[sdk=macosx*] = $(ENABLE_MAC_GESTURE_EVENTS_macosx_WITH_INTERNAL_SDK_$(USE_INTERNAL_SDK));
-ENABLE_MAC_GESTURE_EVENTS_macosx_WITH_INTERNAL_SDK_YES = ENABLE_MAC_GESTURE_EVENTS;
+ENABLE_MAC_GESTURE_EVENTS[sdk=macosx*] = $(ENABLE_MAC_GESTURE_EVENTS_macosx_$(TARGET_MAC_OS_X_VERSION_MAJOR)_WITH_INTERNAL_SDK_$(USE_INTERNAL_SDK));
+ENABLE_MAC_GESTURE_EVENTS_macosx_1090_WITH_INTERNAL_SDK_YES = ;
+ENABLE_MAC_GESTURE_EVENTS_macosx_101000_WITH_INTERNAL_SDK_YES = ENABLE_MAC_GESTURE_EVENTS;
+ENABLE_MAC_GESTURE_EVENTS_macosx_101100_WITH_INTERNAL_SDK_YES = ENABLE_MAC_GESTURE_EVENTS;
+ENABLE_MAC_GESTURE_EVENTS_macosx_101200_WITH_INTERNAL_SDK_YES = ENABLE_MAC_GESTURE_EVENTS;
 
 ENABLE_IOS_TEXT_AUTOSIZING[sdk=iphone*] = ENABLE_IOS_TEXT_AUTOSIZING;
 
diff --git a/Configurations/Version.xcconfig b/Configurations/Version.xcconfig
@@ -22,8 +22,8 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 
 MAJOR_VERSION = 601;
-MINOR_VERSION = 5;
-TINY_VERSION = 17;
+MINOR_VERSION = 6;
+TINY_VERSION = 13;
 MICRO_VERSION = 0;
 NANO_VERSION = 0;
 FULL_VERSION = $(MAJOR_VERSION).$(MINOR_VERSION).$(TINY_VERSION);
diff --git a/runtime/ArrayPrototype.cpp b/runtime/ArrayPrototype.cpp
@@ -404,9 +404,8 @@ static inline JSValue join(ExecState& state, JSObject* thisObject, StringView se
         bool holesKnownToBeOK = false;
         for (unsigned i = 0; i < length; ++i) {
             if (JSValue value = data[i].get()) {
-                joiner.append(state, value);
-                if (state.hadException())
-                    return jsUndefined();
+                if (!joiner.appendWithoutSideEffects(state, value))
+                    goto generalCase;
             } else {
                 if (!holesKnownToBeOK) {
                     if (holesMustForwardToPrototype(state, thisObject))
@@ -454,9 +453,8 @@ static inline JSValue join(ExecState& state, JSObject* thisObject, StringView se
         auto data = storage.vector().data();
         for (unsigned i = 0; i < length; ++i) {
             if (JSValue value = data[i].get()) {
-                joiner.append(state, value);
-                if (state.hadException())
-                    return jsUndefined();
+                if (!joiner.appendWithoutSideEffects(state, value))
+                    goto generalCase;
             } else
                 joiner.appendEmptyString();
         }
diff --git a/runtime/JSStringJoiner.h b/runtime/JSStringJoiner.h
@@ -37,6 +37,7 @@ class JSStringJoiner {
     JSStringJoiner(ExecState&, StringView separator, unsigned stringCount);
 
     void append(ExecState&, JSValue);
+    bool appendWithoutSideEffects(ExecState&, JSValue);
     void appendEmptyString();
 
     JSValue join(ExecState&);
@@ -96,42 +97,52 @@ ALWAYS_INLINE void JSStringJoiner::appendEmptyString()
     m_strings.uncheckedAppend({ { }, { } });
 }
 
-ALWAYS_INLINE void JSStringJoiner::append(ExecState& state, JSValue value)
+ALWAYS_INLINE bool JSStringJoiner::appendWithoutSideEffects(ExecState& state, JSValue value)
 {
     // The following code differs from using the result of JSValue::toString in the following ways:
     // 1) It's inlined more than JSValue::toString is.
     // 2) It includes conversion to WTF::String in a way that avoids allocating copies of substrings.
     // 3) It doesn't create a JSString for numbers, true, or false.
     // 4) It turns undefined and null into the empty string instead of "undefined" and "null".
     // 5) It uses optimized code paths for all the cases known to be 8-bit and for the empty string.
+    // If we might make an effectful calls, return false. Otherwise return true.
 
     if (value.isCell()) {
-        if (value.asCell()->isString()) {
-            append(asString(value)->viewWithUnderlyingString(state));
-            return;
-        }
+        JSString* jsString;
+        if (!value.asCell()->isString())
+            return false;
+        jsString = asString(value);
         append(value.toString(&state)->viewWithUnderlyingString(state));
-        return;
+        return true;
     }
 
     if (value.isInt32()) {
         append8Bit(state.vm().numericStrings.add(value.asInt32()));
-        return;
+        return true;
     }
     if (value.isDouble()) {
         append8Bit(state.vm().numericStrings.add(value.asDouble()));
-        return;
+        return true;
     }
     if (value.isTrue()) {
         append8Bit(state.vm().propertyNames->trueKeyword.string());
-        return;
+        return true;
     }
     if (value.isFalse()) {
         append8Bit(state.vm().propertyNames->falseKeyword.string());
-        return;
+        return true;
     }
     ASSERT(value.isUndefinedOrNull());
     appendEmptyString();
+    return true;
+}
+
+ALWAYS_INLINE void JSStringJoiner::append(ExecState& state, JSValue value)
+{
+    if (!appendWithoutSideEffects(state, value)) {
+        JSString* jsString = value.toString(&state);
+        append(jsString->viewWithUnderlyingString(state));
+    }
 }
 
 }
