Imported WebKit commit c596dd7f03007fa7ed896b928106497e8784b3b5 (http://svn.webkit.org/repository/webkit/trunk@129610)

New snapshot that removes QtQuick1 support (to be moved into QtQuick1 module)

7 files changed, 61 insertions, 18 deletions

diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
index 95cba0936..1eacd1179 100644
--- a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -202,8 +202,11 @@ static inline void shift(ExecState* exec, JSObject* thisObj, unsigned header, un
     ASSERT(header <= length);
     ASSERT(currentCount <= (length - header));
 
-    if (!header && isJSArray(thisObj) && asArray(thisObj)->shiftCount(exec, count))
-        return;
+    if (!header && isJSArray(thisObj)) {
+        JSArray* array = asArray(thisObj);
+        if (array->length() == length && asArray(thisObj)->shiftCount(exec, count))
+            return;
+    }
 
     for (unsigned k = header; k < length - currentCount; ++k) {
         unsigned from = k + currentCount;
@@ -242,8 +245,11 @@ static inline void unshift(ExecState* exec, JSObject* thisObj, unsigned header,
         return;
     }
 
-    if (!header && isJSArray(thisObj) && asArray(thisObj)->unshiftCount(exec, count))
-        return;
+    if (!header && isJSArray(thisObj)) {
+        JSArray* array = asArray(thisObj);
+        if (array->length() == length && asArray(thisObj)->unshiftCount(exec, count))
+            return;
+    }
 
     for (unsigned k = length - currentCount; k > header; --k) {
         unsigned from = k + currentCount - 1;
diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
index 609781c65..8398ae77d 100644
--- a/Source/JavaScriptCore/runtime/JSArray.cpp
+++ b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -499,6 +499,7 @@ bool JSArray::shiftCount(ExecState* exec, unsigned count)
     ArrayStorage* storage = ensureArrayStorage(exec->globalData());
     
     unsigned oldLength = storage->length();
+    ASSERT(count <= oldLength);
     
     // If the array contains holes or is otherwise in an abnormal state,
     // use the generic algorithm in ArrayPrototype.
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
index c85965060..8b1acb25a 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
+++ b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
@@ -497,11 +497,6 @@ static double parseFloat(const String& s)
 
 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
 {
-    JSObject* thisObject = exec->hostThisValue().toThisObject(exec);
-    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
-    if (thisObject != exec->callee()->globalObject()->globalThis())
-        return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated")));
-
     JSValue x = exec->argument(0);
     if (!x.isString())
         return JSValue::encode(x);
@@ -518,12 +513,13 @@ EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
             return JSValue::encode(parsedObject);        
     }
 
+    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
     EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false);
     JSObject* error = eval->compile(exec, calleeGlobalObject);
     if (error)
         return throwVMError(exec, error);
 
-    return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject));
+    return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject));
 }
 
 EncodedJSValue JSC_HOST_CALL globalFuncParseInt(ExecState* exec)
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index 7bf12b67e..bf38f6876 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -1350,10 +1350,13 @@ void JSObject::putByIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue
     }
         
     case NonArrayWithSlowPutArrayStorage:
-    case ArrayWithSlowPutArrayStorage:
-        if (attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow))
+    case ArrayWithSlowPutArrayStorage: {
+        // No own property present in the vector, but there might be in the sparse map!
+        SparseArrayValueMap* map = arrayStorage()->m_sparseMap.get();
+        if (!(map && map->contains(i)) && attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow))
             return;
         // Otherwise, fall though.
+    }
 
     case NonArrayWithArrayStorage:
     case ArrayWithArrayStorage:
diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h
index 16efeba5e..4b9cff5ad 100644
--- a/Source/JavaScriptCore/runtime/JSObject.h
+++ b/Source/JavaScriptCore/runtime/JSObject.h
@@ -226,6 +226,42 @@ namespace JSC {
             }
         }
         
+        JSValue tryGetIndexQuickly(unsigned i)
+        {
+            switch (structure()->indexingType()) {
+            case ALL_BLANK_INDEXING_TYPES:
+                break;
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+                if (i < m_butterfly->arrayStorage()->vectorLength()) {
+                    JSValue v = m_butterfly->arrayStorage()->m_vector[i].get();
+                    if (v)
+                        return v;
+                }
+                break;
+            default:
+                ASSERT_NOT_REACHED();
+                break;
+            }
+            return JSValue();
+        }
+        
+        JSValue getDirectIndex(ExecState* exec, unsigned i)
+        {
+            if (JSValue result = tryGetIndexQuickly(i))
+                return result;
+            PropertySlot slot(this);
+            if (methodTable()->getOwnPropertySlotByIndex(this, exec, i, slot))
+                return slot.getValue(exec, i);
+            return JSValue();
+        }
+        
+        JSValue getIndex(ExecState* exec, unsigned i)
+        {
+            if (JSValue result = tryGetIndexQuickly(i))
+                return result;
+            return get(exec, i);
+        }
+        
         bool canSetIndexQuickly(unsigned i)
         {
             switch (structure()->indexingType()) {
diff --git a/Source/JavaScriptCore/runtime/Options.cpp b/Source/JavaScriptCore/runtime/Options.cpp
index b164948a5..ed0720b54 100644
--- a/Source/JavaScriptCore/runtime/Options.cpp
+++ b/Source/JavaScriptCore/runtime/Options.cpp
@@ -127,6 +127,11 @@ void Options::initialize()
     JSC_OPTIONS(FOR_EACH_OPTION)
 #undef FOR_EACH_OPTION
         
+#if USE(CF) || OS(UNIX)
+    objectsAreImmortal() = !!getenv("JSImmortalZombieEnabled");
+    useZombieMode() = !!getenv("JSImmortalZombieEnabled") || !!getenv("JSZombieEnabled");
+#endif
+
     // Allow environment vars to override options if applicable.
     // The evn var should be the name of the option prefixed with
     // "JSC_".
@@ -149,11 +154,6 @@ void Options::initialize()
     useRegExpJIT() = false;
 #endif
 
-#if USE(CF) || OS(UNIX)
-    zombiesAreImmortal() = !!getenv("JSImmortalZombieEnabled");
-    useZombieMode() = zombiesAreImmortal() || !!getenv("JSZombieEnabled");
-#endif
-
     // Do range checks where needed and make corrections to the options:
     ASSERT(thresholdForOptimizeAfterLongWarmUp() >= thresholdForOptimizeAfterWarmUp());
     ASSERT(thresholdForOptimizeAfterWarmUp() >= thresholdForOptimizeSoon());
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index 5e53d1cf2..7571f9138 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -121,7 +121,8 @@ namespace JSC {
     v(unsigned, forcedWeakRandomSeed, 0) \
     \
     v(bool, useZombieMode, false) \
-    v(bool, zombiesAreImmortal, false) 
+    v(bool, objectsAreImmortal, false) \
+    v(bool, showHeapStatistics, false)
 
 
 class Options {