-
msaboff@apple.com authored
Reviewed by Geoffrey Garen. Addressed the "FIXME" issues in array sort for toString() methods that mutate the array in either size or contents. The change is to mark the temporary array contents so that they are not garbage collected and to make sure the array is large enough to hold the contents of the sorted temporary vector. https://bugs.webkit.org/show_bug.cgi?id=50718 * runtime/Collector.cpp: (JSC::Heap::addTempSortVector): (JSC::Heap::removeTempSortVector): (JSC::Heap::markTempSortVectors): (JSC::Heap::markRoots): * runtime/Collector.h: * runtime/JSArray.cpp: (JSC::JSArray::sort): * runtime/JSValue.h: 2010-12-09 Michael Saboff <msaboff@apple.com> Reviewed by Geoffrey Garen. New test to verify that arrays sort per the standard even it there is an override for toString() that modifies the array. https://bugs.webkit.org/show_bug.cgi?id=50718 * fast/js/array-sort-modifying-tostring-expected.txt: Added. * fast/js/array-sort-modifying-tostring.html: Added. * fast/js/script-tests/array-sort-modifying-tostring.js: Added. (do_gc): (Item): (toString_Mutate): (test): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73623 268f45cc-cd09-0410-ab3c-d52691b4dbfc
86ea014e