Commit ef64c522 authored by Alberto Garcia's avatar Alberto Garcia
Browse files

Imported Upstream version 2.4.2

parent 7cc0e383
2014-04-14 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Update NEWS and Versions.m4 for 2.4.1 release.
* Source/autotools/Versions.m4: Bump version numbers.
2014-03-24 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Update NEWS and Versions.m4 for 2.4.0 release.
......
......@@ -14,7 +14,7 @@
<div class="titlepage">
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2" cellspacing="0"><tr><th valign="middle"><p class="title">WebKit2GTK+ Reference Manual</p></th></tr></table></div>
<div><p class="releaseinfo">for WebKit2GTK+ 2.4.1</p></div>
<div><p class="releaseinfo">for WebKit2GTK+ 2.4.2</p></div>
</div>
<hr>
</div>
......
......@@ -172,7 +172,7 @@ against at application run time.</p>
<hr>
<div class="refsect2">
<a name="WEBKIT-MICRO-VERSION:CAPS"></a><h3>WEBKIT_MICRO_VERSION</h3>
<pre class="programlisting">#define WEBKIT_MICRO_VERSION (1)
<pre class="programlisting">#define WEBKIT_MICRO_VERSION (2)
</pre>
<p>Like <a class="link" href="webkit2gtk-WebKitVersion.html#webkit-get-micro-version" title="webkit_get_micro_version ()"><code class="function">webkit_get_micro_version()</code></a>, but from the headers used at
application compile time, rather than from the library linked
......
......@@ -14,7 +14,7 @@
<div class="titlepage">
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2" cellspacing="0"><tr><th valign="middle"><p class="title">WebKitDOMGTK+ Reference Manual</p></th></tr></table></div>
<div><p class="releaseinfo">for WebKitDOMGTK+ 2.4.1</p></div>
<div><p class="releaseinfo">for WebKitDOMGTK+ 2.4.2</p></div>
</div>
<hr>
</div>
......
......@@ -14,7 +14,7 @@
<div class="titlepage">
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2" cellspacing="0"><tr><th valign="middle"><p class="title">WebKitGTK+ Reference Manual</p></th></tr></table></div>
<div><p class="releaseinfo">for WebKitGTK+ 2.4.1</p></div>
<div><p class="releaseinfo">for WebKitGTK+ 2.4.2</p></div>
</div>
<hr>
</div>
......
......@@ -7871,6 +7871,7 @@ am__libWebCoreSVG_la_SOURCES_DIST = \
Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGListProperty.h \
Source/WebCore/svg/properties/SVGListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGMatrixTearOff.h \
Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp \
Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGProperty.h \
......@@ -7880,7 +7881,6 @@ am__libWebCoreSVG_la_SOURCES_DIST = \
Source/WebCore/svg/properties/SVGPropertyTraits.h \
Source/WebCore/svg/properties/SVGStaticListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGStaticPropertyTearOff.h \
Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h \
Source/WebCore/svg/properties/SVGTransformListPropertyTearOff.h \
Source/WebCore/svg/RadialGradientAttributes.h \
Source/WebCore/svg/SVGAElement.cpp \
......@@ -16859,6 +16859,7 @@ webcore_svg_sources := \
Source/WebCore/svg/properties/SVGAnimatedTransformListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGListProperty.h \
Source/WebCore/svg/properties/SVGListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGMatrixTearOff.h \
Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.cpp \
Source/WebCore/svg/properties/SVGPathSegListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGProperty.h \
......@@ -16868,7 +16869,6 @@ webcore_svg_sources := \
Source/WebCore/svg/properties/SVGPropertyTraits.h \
Source/WebCore/svg/properties/SVGStaticListPropertyTearOff.h \
Source/WebCore/svg/properties/SVGStaticPropertyTearOff.h \
Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h \
Source/WebCore/svg/properties/SVGTransformListPropertyTearOff.h \
Source/WebCore/svg/RadialGradientAttributes.h \
Source/WebCore/svg/SVGAElement.cpp \
=================
WebKitGTK+ 2.4.2
=================
What's new in WebKitGTK+ 2.4.2?
- Correctly handle TLS errors in case of a server redirection.
- Fix a crash when submitting a form.
- Fix several JavaScriptCore crashes when browsing facebook.
- Fix a crash when closing a page with windowed plugins.
- Fix a crash after getting web view context property with g_object_get.
- Fix a new[] delete[] mismatch in SocketStreamHandleSoup.
=================
WebKitGTK+ 2.4.1
=================
......
2014-05-09 Alberto Garcia <berto@igalia.com>
jsmin.py license header confusing, mentions non-free license
https://bugs.webkit.org/show_bug.cgi?id=123665
Reviewed by Darin Adler.
Pull the most recent version from upstream, which has a clear
license.
* inspector/scripts/jsmin.py:
2014-04-19 Filip Pizlo <fpizlo@apple.com>
Make it easier to check if an integer sum would overflow
https://bugs.webkit.org/show_bug.cgi?id=131900
Reviewed by Darin Adler.
* dfg/DFGOperations.cpp:
* runtime/Operations.h:
(JSC::jsString):
2014-04-19 Filip Pizlo <fpizlo@apple.com>
Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
* dfg/DFGOperations.cpp:
* runtime/JSString.h:
(JSC::JSRopeString::RopeBuilder::append):
2014-04-15 Filip Pizlo <fpizlo@apple.com>
compileMakeRope does not emit necessary bounds checks
https://bugs.webkit.org/show_bug.cgi?id=130684
<rdar://problem/16398388>
Reviewed by Oliver Hunt.
Add string length bounds checks in a bunch of places. We should never allow a string
to have a length greater than 2^31-1 because it's not clear that the language has
semantics for it and because there is code that assumes that this cannot happen.
Also add a bunch of tests to that effect to cover the various ways in which this was
previously allowed to happen.
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMakeRope):
* runtime/JSString.cpp:
(JSC::JSRopeString::RopeBuilder::expand):
* runtime/JSString.h:
(JSC::JSString::create):
(JSC::JSRopeString::RopeBuilder::append):
(JSC::JSRopeString::RopeBuilder::release):
(JSC::JSRopeString::append):
* runtime/Operations.h:
(JSC::jsString):
(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
* tests/stress/make-large-string-jit-strcat.js: Added.
(foo):
* tests/stress/make-large-string-jit.js: Added.
(foo):
* tests/stress/make-large-string-strcat.js: Added.
* tests/stress/make-large-string.js: Added.
2014-03-12 Mark Lam <mark.lam@apple.com>
 
Update type of local vars to match the type of String length.
......@@ -7880,44 +7954,6 @@
(JSC::SymbolTable::SymbolTable):
* runtime/SymbolTable.h:
 
2013-11-27 Filip Pizlo <fpizlo@apple.com>
Finally fix some obvious Bartlett bugs
https://bugs.webkit.org/show_bug.cgi?id=124951
Reviewed by Mark Hahnenberg.
Sanitize the stack (i.e. zero parts of it known to be dead) at three key points:
- GC.
- At beginning of OSR entry.
- Just as we finish preparing OSR entry. This clears those slots on the stack that
could have been live in baseline but that are known to be dead in DFG.
This is as much as a 2x speed-up on splay if you run it in certain modes, and run it
for a long enough interval. It appears to fix all instances of the dreaded exponential
heap growth that splay gets into when some stale pointer stays around.
This doesn't have much of an effect on real-world programs. This bug has only ever
manifested in splay and for that reason we thus far opted against fixing it. But splay
is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we
can run it without pathologies - even when you tweak its configuration - is probably
fairly important.
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
* heap/Heap.cpp:
(JSC::Heap::markRoots):
* interpreter/JSStack.cpp:
(JSC::JSStack::JSStack):
(JSC::JSStack::sanitizeStack):
* interpreter/JSStack.h:
2013-11-26 Filip Pizlo <fpizlo@apple.com>
 
Do bytecode validation as part of testing
......
......@@ -751,6 +751,11 @@ public:
return Jump(m_assembler.jmp(ARMCondition(cond)));
}
Jump branchAdd32(ResultCondition cond, Address src, RegisterID dest)
{
load32(src, ARMRegisters::S0);
return branchAdd32(cond, dest, ARMRegisters::S0, dest);
}
void mull32(RegisterID op1, RegisterID op2, RegisterID dest)
{
if (op2 == dest) {
......
......@@ -1809,6 +1809,12 @@ public:
return branchAdd32(cond, op1, dataTempRegister, dest);
}
Jump branchAdd32(ResultCondition cond, Address src, RegisterID dest)
{
load32(src, getCachedDataTempRegisterIDAndInvalidate());
return branchAdd32(cond, dest, dataTempRegister, dest);
}
Jump branchAdd32(ResultCondition cond, RegisterID src, RegisterID dest)
{
return branchAdd32(cond, dest, src, dest);
......
......@@ -1480,6 +1480,12 @@ public:
return branchAdd32(cond, dest, src, dest);
}
Jump branchAdd32(ResultCondition cond, Address src, RegisterID dest)
{
load32(src, dataTempRegister);
return branchAdd32(cond, dest, dataTempRegister, dest);
}
Jump branchAdd32(ResultCondition cond, TrustedImm32 imm, RegisterID dest)
{
return branchAdd32(cond, dest, imm, dest);
......
......@@ -270,8 +270,6 @@ public:
entry->m_expectedValues.local(local).makeHeapTop();
else {
VariableAccessData* variable = node->variableAccessData();
entry->m_machineStackUsed.set(variable->machineLocal().toLocal());
switch (variable->flushFormat()) {
case FlushedDouble:
entry->m_localsForcedDouble.set(local);
......
......@@ -52,9 +52,6 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
}
VM* vm = &exec->vm();
vm->interpreter->stack().sanitizeStack();
if (codeBlock->jitType() != JITCode::DFGJIT) {
RELEASE_ASSERT(codeBlock->jitType() == JITCode::FTLJIT);
......@@ -184,8 +181,7 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
// it seems silly: you'd be diverting the program to error handling when it
// would have otherwise just kept running albeit less quickly.
unsigned frameSize = jitCode->common.requiredRegisterCountForExecutionAndExit();
if (!vm->interpreter->stack().grow(&exec->registers()[virtualRegisterForLocal(frameSize).offset()])) {
if (!vm->interpreter->stack().grow(&exec->registers()[virtualRegisterForLocal(jitCode->common.requiredRegisterCountForExecutionAndExit()).offset()])) {
if (Options::verboseOSR())
dataLogF(" OSR failed because stack growth failed.\n");
return 0;
......@@ -211,20 +207,11 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
for (unsigned i = entry->m_reshufflings.size(); i--;)
registers[entry->m_reshufflings[i].toOffset] = temporaryLocals[i];
// 5) Clear those parts of the call frame that the DFG ain't using. This helps GC on some
// programs by eliminating some stale pointer pathologies.
for (unsigned i = frameSize; i--;) {
if (entry->m_machineStackUsed.get(i))
continue;
registers[virtualRegisterForLocal(i).offset()] = JSValue::encode(JSValue());
}
// 6) Fix the call frame.
// 5) Fix the call frame.
exec->setCodeBlock(codeBlock);
// 7) Find and return the destination machine code address.
// 6) Find and return the destination machine code address.
void* result = codeBlock->jitCode()->executableAddressAtOffset(entry->m_machineCodeOffset);
......
......@@ -59,7 +59,6 @@ struct OSREntryData {
BitVector m_localsForcedDouble;
BitVector m_localsForcedMachineInt;
Vector<OSREntryReshuffling> m_reshufflings;
BitVector m_machineStackUsed;
};
inline unsigned getOSREntryDataBytecodeIndex(OSREntryData* osrEntryData)
......
......@@ -967,6 +967,11 @@ JSCell* JIT_OPERATION operationMakeRope2(ExecState* exec, JSString* left, JSStri
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
if (sumOverflows<int32_t>(left->length(), right->length())) {
throwOutOfMemoryError(exec);
return nullptr;
}
return JSRopeString::create(vm, left, right);
}
......@@ -975,6 +980,11 @@ JSCell* JIT_OPERATION operationMakeRope3(ExecState* exec, JSString* a, JSString*
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
if (sumOverflows<int32_t>(a->length(), b->length(), c->length())) {
throwOutOfMemoryError(exec);
return nullptr;
}
return JSRopeString::create(vm, a, b, c);
}
......
......@@ -2738,12 +2738,28 @@ void SpeculativeJIT::compileMakeRope(Node* node)
m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, JSRopeString::offsetOfFibers() + sizeof(WriteBarrier<JSString>) * i));
m_jit.load32(JITCompiler::Address(opGPRs[0], JSString::offsetOfFlags()), scratchGPR);
m_jit.load32(JITCompiler::Address(opGPRs[0], JSString::offsetOfLength()), allocatorGPR);
if (!ASSERT_DISABLED) {
JITCompiler::Jump ok = m_jit.branch32(
JITCompiler::GreaterThanOrEqual, allocatorGPR, TrustedImm32(0));
m_jit.breakpoint();
ok.link(&m_jit);
}
for (unsigned i = 1; i < numOpGPRs; ++i) {
m_jit.and32(JITCompiler::Address(opGPRs[i], JSString::offsetOfFlags()), scratchGPR);
m_jit.add32(JITCompiler::Address(opGPRs[i], JSString::offsetOfLength()), allocatorGPR);
speculationCheck(
Uncountable, JSValueSource(), nullptr,
m_jit.branchAdd32(
JITCompiler::Overflow,
JITCompiler::Address(opGPRs[i], JSString::offsetOfLength()), allocatorGPR));
}
m_jit.and32(JITCompiler::TrustedImm32(JSString::Is8Bit), scratchGPR);
m_jit.store32(scratchGPR, JITCompiler::Address(resultGPR, JSString::offsetOfFlags()));
if (!ASSERT_DISABLED) {
JITCompiler::Jump ok = m_jit.branch32(
JITCompiler::GreaterThanOrEqual, allocatorGPR, TrustedImm32(0));
m_jit.breakpoint();
ok.link(&m_jit);
}
m_jit.store32(allocatorGPR, JITCompiler::Address(resultGPR, JSString::offsetOfLength()));
switch (numOpGPRs) {
......
......@@ -467,7 +467,6 @@ void Heap::markRoots()
{
GCPHASE(GatherStackRoots);
stack().gatherConservativeRoots(stackRoots, m_jitStubRoutines, m_codeBlocks);
stack().sanitizeStack();
}
#if ENABLE(DFG_JIT)
......
#!/usr/bin/python
# This code is original from jsmin by Douglas Crockford, it was translated to
# Python by Baruch Even. The original code had the following copyright and
# license.
#
# /* jsmin.c
# 2007-05-22
# Python by Baruch Even. It was rewritten by Dave St.Germain for speed.
#
# Copyright (c) 2002 Douglas Crockford (www.crockford.com)
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is furnished to do
# so, subject to the following conditions:
# Copyright (c) 2013 Dave St.Germain
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The Software shall be used for Good, not Evil.
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# */
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# Import StringIO from either the StringIO module (Python 2.x) or the io module (Python 3.x).
try:
from StringIO import StringIO
except ImportError:
from io import StringIO
def jsmin(js):
ins = StringIO(js)
outs = StringIO()
JavascriptMinify().minify(ins, outs)
str = outs.getvalue()
if len(str) > 0 and str[0] == '\n':
str = str[1:]
return str
def isAlphanum(c):
"""return true if the character is a letter, digit, underscore,
dollar sign, or non-ASCII character.
"""
return ((c >= 'a' and c <= 'z') or (c >= '0' and c <= '9') or
(c >= 'A' and c <= 'Z') or c == '_' or c == '$' or c == '\\' or (c is not None and ord(c) > 126));
import sys
is_3 = sys.version_info >= (3, 0)
if is_3:
import io
else:
import StringIO
try:
import cStringIO
except ImportError:
cStringIO = None
class UnterminatedComment(Exception):
pass
__all__ = ['jsmin', 'JavascriptMinify']
__version__ = '2.0.9'
class UnterminatedStringLiteral(Exception):
pass
class UnterminatedRegularExpression(Exception):
pass
def jsmin(js):
"""
returns a minified version of the javascript string
"""
if not is_3:
if cStringIO and not isinstance(js, unicode):
# strings can use cStringIO for a 3x performance
# improvement, but unicode (in python2) cannot
klass = cStringIO.StringIO
else:
klass = StringIO.StringIO
else:
klass = io.StringIO
ins = klass(js)
outs = klass()
JavascriptMinify(ins, outs).minify()
return outs.getvalue()
class JavascriptMinify(object):
"""
Minify an input stream of javascript, writing
to an output stream
"""
def _outA(self):
self.outstream.write(self.theA)
def _outB(self):
self.outstream.write(self.theB)
def _get(self):
"""return the next character from stdin. Watch out for lookahead. If
the character is a control character, translate it to a space or
linefeed.
"""
c = self.theLookahead
self.theLookahead = None
if c == None:
c = self.instream.read(1)
if c >= ' ' or c == '\n':
return c
if c == '': # EOF
return '\000'
if c == '\r':
return '\n'
return ' '
def _peek(self):
self.theLookahead = self._get()
return self.theLookahead
def _next(self):
"""get the next character, excluding comments. peek() is used to see
if an unescaped '/' is followed by a '/' or '*'.
"""
c = self._get()
if c == '/' and self.theA != '\\':
p = self._peek()
if p == '/':
c = self._get()
while c > '\n':
c = self._get()
return c
if p == '*':
c = self._get()
while 1:
c = self._get()
if c == '*':
if self._peek() == '/':
self._get()
return ' '
if c == '\000':
raise UnterminatedComment()
return c
def _action(self, action):
"""do something! What you do is determined by the argument:
1 Output A. Copy B to A. Get the next B.
2 Copy B to A. Get the next B. (Delete A).
3 Get the next B. (Delete B).
action treats a string as a single character. Wow!
action recognizes a regular expression if it is preceded by ( or , or =.
"""
if action <= 1:
self._outA()
if action <= 2:
self.theA = self.theB
if self.theA == "'" or self.theA == '"':
while 1:
self._outA()
self.theA = self._get()
if self.theA == self.theB:
break
if self.theA <= '\n':
raise UnterminatedStringLiteral()
if self.theA == '\\':
self._outA()
self.theA = self._get()
if action <= 3:
self.theB = self._next()
if self.theB == '/' and (self.theA == '(' or self.theA == ',' or
self.theA == '=' or self.theA == ':' or
self.theA == '[' or self.theA == '?' or
self.theA == '!' or self.theA == '&' or
self.theA == '|' or self.theA == ';' or
self.theA == '{' or self.theA == '}' or
self.theA == '\n'):
self._outA()
self._outB()
while 1:
self.theA = self._get()
if self.theA == '/':
break
elif self.theA == '\\':
self._outA()
self.theA = self._get()
elif self.theA <= '\n':
raise UnterminatedRegularExpression()
self._outA()
self.theB = self._next()
def _jsmin(self):