Commit f2e8f29a authored by darin@apple.com's avatar darin@apple.com
Browse files

JavaScriptCore:

2008-05-21  Darin Adler  <darin@apple.com>

        Reviewed by Anders.

        - fix <rdar://problem/5952721> bug in JavaScript arguments object property lookup

        Test: fast/js/arguments-bad-index.html

        * kjs/function.cpp:
        (KJS::IndexToNameMap::IndexToNameMap): Use unsigned instead of int.
        (KJS::IndexToNameMap::isMapped): Use unsigned instead of int, and also use the
        strict version of the numeric conversion function, since we don't want to allow
        trailing junk.
        (KJS::IndexToNameMap::unMap): Ditto.
        (KJS::IndexToNameMap::operator[]): Ditto.
        * kjs/function.h: Changed IndexToNameMap::size type from int to unsigned.

LayoutTests:

2008-05-21  Darin Adler  <darin@apple.com>

        Reviewed by Anders.

        - test for <rdar://problem/5952721> bug in JavaScript arguments object property lookup

        * fast/js/arguments-bad-index-expected.txt: Added.
        * fast/js/arguments-bad-index.html: Added.
        * fast/js/resources/arguments-bad-index.js: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@33972 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent b165a22d
2008-05-21 Darin Adler <darin@apple.com>
Reviewed by Anders.
- fix <rdar://problem/5952721> bug in JavaScript arguments object property lookup
Test: fast/js/arguments-bad-index.html
* kjs/function.cpp:
(KJS::IndexToNameMap::IndexToNameMap): Use unsigned instead of int.
(KJS::IndexToNameMap::isMapped): Use unsigned instead of int, and also use the
strict version of the numeric conversion function, since we don't want to allow
trailing junk.
(KJS::IndexToNameMap::unMap): Ditto.
(KJS::IndexToNameMap::operator[]): Ditto.
* kjs/function.h: Changed IndexToNameMap::size type from int to unsigned.
2008-05-20 Timothy Hatcher <timothy@apple.com>
 
Change the Profiler to allow multiple profiles to be running at
......
......@@ -225,20 +225,21 @@ IndexToNameMap::IndexToNameMap(FunctionImp* func, const List& args)
_map = new Identifier[args.size()];
this->size = args.size();
int i = 0;
unsigned i = 0;
List::const_iterator end = args.end();
for (List::const_iterator it = args.begin(); it != end; ++i, ++it)
_map[i] = func->getParameterName(i); // null if there is no corresponding parameter
}
IndexToNameMap::~IndexToNameMap() {
IndexToNameMap::~IndexToNameMap()
{
delete [] _map;
}
bool IndexToNameMap::isMapped(const Identifier& index) const
{
bool indexIsNumber;
int indexAsNumber = index.toUInt32(&indexIsNumber);
unsigned indexAsNumber = index.toStrictUInt32(&indexIsNumber);
if (!indexIsNumber)
return false;
......@@ -255,26 +256,21 @@ bool IndexToNameMap::isMapped(const Identifier& index) const
void IndexToNameMap::unMap(const Identifier& index)
{
bool indexIsNumber;
int indexAsNumber = index.toUInt32(&indexIsNumber);
unsigned indexAsNumber = index.toStrictUInt32(&indexIsNumber);
ASSERT(indexIsNumber && indexAsNumber < size);
_map[indexAsNumber] = CommonIdentifiers::shared()->nullIdentifier;
}
Identifier& IndexToNameMap::operator[](int index)
{
return _map[index];
}
Identifier& IndexToNameMap::operator[](const Identifier& index)
{
bool indexIsNumber;
int indexAsNumber = index.toUInt32(&indexIsNumber);
unsigned indexAsNumber = index.toStrictUInt32(&indexIsNumber);
ASSERT(indexIsNumber && indexAsNumber < size);
return (*this)[indexAsNumber];
return _map[indexAsNumber];
}
// ------------------------------ Arguments ---------------------------------
......
......@@ -93,17 +93,15 @@ namespace KJS {
class IndexToNameMap {
public:
IndexToNameMap(FunctionImp* func, const List& args);
IndexToNameMap(FunctionImp*, const List& args);
~IndexToNameMap();
Identifier& operator[](int index);
Identifier& operator[](const Identifier &indexIdentifier);
Identifier& operator[](const Identifier& index);
bool isMapped(const Identifier& index) const;
void unMap(const Identifier& index);
private:
IndexToNameMap(); // prevent construction w/o parameters
int size;
unsigned size;
Identifier* _map;
};
......
2008-05-21 Darin Adler <darin@apple.com>
Reviewed by Anders.
- test for <rdar://problem/5952721> bug in JavaScript arguments object property lookup
* fast/js/arguments-bad-index-expected.txt: Added.
* fast/js/arguments-bad-index.html: Added.
* fast/js/resources/arguments-bad-index.js: Added.
2008-05-21 Alexey Proskuryakov <ap@webkit.org>
 
Reviewed by Darin.
This test checks whether arguments crashes when passed a bad index.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS indexArguments(1, "a") is "a"
PASS indexArguments("1 ", "a") is undefined
PASS indexArguments(0xDEADBEEF) is undefined
PASS indexArguments(0xFFFFFFFF) is undefined
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="resources/js-test-style.css">
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<p id="description"></p>
<div id="console"></div>
<script src="resources/arguments-bad-index.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
description(
"This test checks whether arguments crashes when passed a bad index."
);
function indexArguments(index)
{
return arguments[index];
}
shouldBe('indexArguments(1, "a")', '"a"');
shouldBe('indexArguments("1 ", "a")', 'undefined');
shouldBe('indexArguments(0xDEADBEEF)', 'undefined');
shouldBe('indexArguments(0xFFFFFFFF)', 'undefined');
var successfullyParsed = true;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment