Skip to content
  • msaboff@apple.com's avatar
    2010-12-09 Michael Saboff <msaboff@apple.com> · 86ea014e
    msaboff@apple.com authored
            Reviewed by Geoffrey Garen.
    
            Addressed the "FIXME" issues in array sort for toString() methods that
            mutate the array in either size or contents.  The change is to mark
            the temporary array contents so that they are not garbage collected
            and to make sure the array is large enough to hold the contents
            of the sorted temporary vector.
            https://bugs.webkit.org/show_bug.cgi?id=50718
    
            * runtime/Collector.cpp:
            (JSC::Heap::addTempSortVector):
            (JSC::Heap::removeTempSortVector):
            (JSC::Heap::markTempSortVectors):
            (JSC::Heap::markRoots):
            * runtime/Collector.h:
            * runtime/JSArray.cpp:
            (JSC::JSArray::sort):
            * runtime/JSValue.h:
    2010-12-09  Michael Saboff  <msaboff@apple.com>
    
            Reviewed by Geoffrey Garen.
    
            New test to verify that arrays sort per the standard even it
            there is an override for toString() that modifies the array.
            https://bugs.webkit.org/show_bug.cgi?id=50718
    
            * fast/js/array-sort-modifying-tostring-expected.txt: Added.
            * fast/js/array-sort-modifying-tostring.html: Added.
            * fast/js/script-tests/array-sort-modifying-tostring.js: Added.
            (do_gc):
            (Item):
            (toString_Mutate):
            (test):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73623 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    86ea014e