[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677

darin darin at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 08:25:13 UTC 2009 

The following commit has been merged in the debian/unstable branch:
commit 99b78126a12be4d792f0a2a1241405c17d26c94d
Author: darin <darin at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Feb 3 01:18:18 2004 +0000

            Reviewed by Maciej.
    
            - fixed <rdar://problem/3546613>: array of negative size leads to crash (test page at oscar.the-rileys.net)
    
            * kjs/array_object.cpp:
            (ArrayInstanceImp::ArrayInstanceImp): If the length is greater than 10,000, don't allocate an array until
            we start putting values in. This prevents new Array(2147483647) from causing trouble.
            (ArrayObjectImp::construct): Check number as described in specification, and raise a range error if the
            number is out of range. This prevents new Array(-1) from causing trouble.
    
            - fixed <rdar://problem/3545756>: Math.round screws up on numbers bigger than 2^31 (incorrect results on HP-35 calculator page)
    
            * kjs/math_object.cpp: (MathFuncImp::call): Change implementation to be much simpler and not involve
            casting to int. Results now match those in other browsers.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@6028 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 0e87136..8f2fb95 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -2,6 +2,23 @@
 
         Reviewed by Maciej.
 
+        - fixed <rdar://problem/3546613>: array of negative size leads to crash (test page at oscar.the-rileys.net)
+
+        * kjs/array_object.cpp:
+        (ArrayInstanceImp::ArrayInstanceImp): If the length is greater than 10,000, don't allocate an array until
+        we start putting values in. This prevents new Array(2147483647) from causing trouble.
+        (ArrayObjectImp::construct): Check number as described in specification, and raise a range error if the
+        number is out of range. This prevents new Array(-1) from causing trouble.
+
+        - fixed <rdar://problem/3545756>: Math.round screws up on numbers bigger than 2^31 (incorrect results on HP-35 calculator page)
+
+        * kjs/math_object.cpp: (MathFuncImp::call): Change implementation to be much simpler and not involve
+        casting to int. Results now match those in other browsers.
+
+2004-02-02  Darin Adler  <darin at apple.com>
+
+        Reviewed by Maciej.
+
         - fixed <rdar://problem/3519285>: integer operations on large negative numbers yield bad results (discovered with "HTMLCrypt")
         - fixed other related overflow issues
 
diff --git a/JavaScriptCore/kjs/array_object.cpp b/JavaScriptCore/kjs/array_object.cpp
index 7aa481d..8651334 100644
--- a/JavaScriptCore/kjs/array_object.cpp
+++ b/JavaScriptCore/kjs/array_object.cpp
@@ -45,7 +45,7 @@ const ClassInfo ArrayInstanceImp::info = {"Array", 0, 0, 0};
 ArrayInstanceImp::ArrayInstanceImp(ObjectImp *proto, unsigned initialLength)
   : ObjectImp(proto)
   , length(initialLength)
-  , storageLength(initialLength)
+  , storageLength(initialLength < sparseArrayCutoff ? initialLength : 0)
   , capacity(storageLength)
   , storage(capacity ? (ValueImp **)calloc(capacity, sizeof(ValueImp *)) : 0)
 {
@@ -795,8 +795,15 @@ bool ArrayObjectImp::implementsConstruct() const
 Object ArrayObjectImp::construct(ExecState *exec, const List &args)
 {
   // a single numeric argument denotes the array size (!)
-  if (args.size() == 1 && args[0].type() == NumberType)
-    return Object(new ArrayInstanceImp(exec->interpreter()->builtinArrayPrototype().imp(), args[0].toUInt32(exec)));
+  if (args.size() == 1 && args[0].type() == NumberType) {
+    uint32_t n = args[0].toUInt32(exec);
+    if (n != args[0].toNumber(exec)) {
+      Object error = Error::create(exec, RangeError, "Array size is not a small enough positive integer.");
+      exec->setException(error);
+      return error;
+    }
+    return Object(new ArrayInstanceImp(exec->interpreter()->builtinArrayPrototype().imp(), n));
+  }
 
   // otherwise the array is constructed with the arguments in it
   return Object(new ArrayInstanceImp(exec->interpreter()->builtinArrayPrototype().imp(), args));
diff --git a/JavaScriptCore/kjs/math_object.cpp b/JavaScriptCore/kjs/math_object.cpp
index 9713bc0..b5ec4c3 100644
--- a/JavaScriptCore/kjs/math_object.cpp
+++ b/JavaScriptCore/kjs/math_object.cpp
@@ -233,14 +233,7 @@ Value MathFuncImp::call(ExecState *exec, Object &/*thisObj*/, const List &args)
     result = result / RAND_MAX;
     break;
   case MathObjectImp::Round:
-    if (isNaN(arg))
-      result = arg;
-    else if (isInf(arg) || isInf(-arg))
-      result = arg;
-    else if (arg == -0.5)
-      result = 0;
-    else
-      result = (double)(arg >= 0.0 ? int(arg + 0.5) : int(arg - 0.5));
+    result = ::floor(arg + 0.5);
     break;
   case MathObjectImp::Sin:
     result = ::sin(arg);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list