summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoroliver@apple.com <oliver@apple.com@bbb929c8-8fbe-4397-9dbb-9b2b20218538>2011-08-30 19:13:33 +0000
committeroliver@apple.com <oliver@apple.com@bbb929c8-8fbe-4397-9dbb-9b2b20218538>2011-08-30 19:13:33 +0000
commite2d1acd61cf3e0b80bca459a8b1103177cac112c (patch)
tree34e452b6a92375f962b8d642dbbdc0b106687052
parent2859f9f358595d560e42cdae36034bc7cebf804e (diff)
downloadchromium_src-e2d1acd61cf3e0b80bca459a8b1103177cac112c.zip
chromium_src-e2d1acd61cf3e0b80bca459a8b1103177cac112c.tar.gz
chromium_src-e2d1acd61cf3e0b80bca459a8b1103177cac112c.tar.bz2
TypedArrays don't ensure that denormalised values are normalised
https://bugs.webkit.org/show_bug.cgi?id=67178 Reviewed by Gavin Barraclough. ../../../../Volumes/Data/git/WebKit/OpenSource/LayoutTests: Add test to ensure that we create a non-signalling nan when reading a singaling nan from a typed array. * fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt: * fast/canvas/webgl/webgl-array-invalid-ranges.html: ../../../../Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore: Add a couple of assertions to jsNumber() to ensure that we block signaling NaNs * runtime/JSValue.h: (JSC::jsDoubleNumber): (JSC::jsNumber): ../../../../Volumes/Data/git/WebKit/OpenSource/Source/WebCore: Ensure that we convert singaling nans to silent nans when loading from a typed array. * bindings/scripts/CodeGeneratorJS.pm: (GenerateImplementation): git-svn-id: svn://svn.chromium.org/blink/trunk@94095 bbb929c8-8fbe-4397-9dbb-9b2b20218538
Diffstat
-rw-r--r--third_party/WebKit/LayoutTests/ChangeLog13
-rw-r--r--third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt1
-rw-r--r--third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges.html8
-rw-r--r--third_party/WebKit/Source/JavaScriptCore/ChangeLog14
-rw-r--r--third_party/WebKit/Source/JavaScriptCore/runtime/JSValue.h2
-rw-r--r--third_party/WebKit/Source/WebCore/ChangeLog13
-rw-r--r--third_party/WebKit/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm6
7 files changed, 56 insertions, 1 deletions
diff --git a/third_party/WebKit/LayoutTests/ChangeLog b/third_party/WebKit/LayoutTests/ChangeLog
index 0d0e830..b1f9e74 100644
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-08-29 Oliver Hunt <oliver@apple.com>
+
+ TypedArrays don't ensure that denormalised values are normalised
+ https://bugs.webkit.org/show_bug.cgi?id=67178
+
+ Reviewed by Gavin Barraclough.
+
+ Add test to ensure that we create a non-signalling nan when reading
+ a singaling nan from a typed array.
+
+ * fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt:
+ * fast/canvas/webgl/webgl-array-invalid-ranges.html:
+
2011-08-30 David Levin <levin@chromium.org>
[chromium] Update baselines after r94084 and r94088 and r93909.
diff --git a/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt b/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt
index cd6d27b..c314633 100644
--- a/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges-expected.txt
@@ -77,6 +77,7 @@ PASS array.subarray(4, -2147483648).length is 0
PASS Setting Float32Array from array with out-of-range offset was caught
PASS Setting Float32Array from fake array with invalid length was caught
PASS Setting Float32Array from Float32Array with out-of-range offset was caught
+PASS isNaN(floats[0]) is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges.html b/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges.html
index 1642816..4d445a5 100644
--- a/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges.html
+++ b/third_party/WebKit/LayoutTests/fast/canvas/webgl/webgl-array-invalid-ranges.html
@@ -147,6 +147,14 @@ for (var i = 0; i < typeNames.length; i++) {
}
}
+buffer = new ArrayBuffer(40);
+ints = new Int32Array(buffer, 0, 10);
+floats = new Float32Array(buffer, 0, 10);
+// Plant a NaN into the buffer
+ints[0]=-0x7ffff;
+// Read the NaN out as a float
+shouldBeTrue("isNaN(floats[0])");
+
successfullyParsed = true;
</script>
diff --git a/third_party/WebKit/Source/JavaScriptCore/ChangeLog b/third_party/WebKit/Source/JavaScriptCore/ChangeLog
index 285c911..5c3bbc2 100644
--- a/third_party/WebKit/Source/JavaScriptCore/ChangeLog
+++ b/third_party/WebKit/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2011-08-30 Oliver Hunt <oliver@apple.com>
+
+ TypedArrays don't ensure that denormalised values are normalised
+ https://bugs.webkit.org/show_bug.cgi?id=67178
+
+ Reviewed by Gavin Barraclough.
+
+ Add a couple of assertions to jsNumber() to ensure that
+ we block signaling NaNs
+
+ * runtime/JSValue.h:
+ (JSC::jsDoubleNumber):
+ (JSC::jsNumber):
+
2011-08-30 Ademar de Souza Reis Jr. <ademar.reis@openbossa.org>
[Qt] Do not unconditionally use pkg-config in .pro files
diff --git a/third_party/WebKit/Source/JavaScriptCore/runtime/JSValue.h b/third_party/WebKit/Source/JavaScriptCore/runtime/JSValue.h
index d985a63..61b6884 100644
--- a/third_party/WebKit/Source/JavaScriptCore/runtime/JSValue.h
+++ b/third_party/WebKit/Source/JavaScriptCore/runtime/JSValue.h
@@ -392,11 +392,13 @@ namespace JSC {
ALWAYS_INLINE JSValue jsDoubleNumber(double d)
{
+ ASSERT(JSValue(JSValue::EncodeAsDouble, d).isNumber());
return JSValue(JSValue::EncodeAsDouble, d);
}
ALWAYS_INLINE JSValue jsNumber(double d)
{
+ ASSERT(JSValue(d).isNumber());
return JSValue(d);
}
diff --git a/third_party/WebKit/Source/WebCore/ChangeLog b/third_party/WebKit/Source/WebCore/ChangeLog
index 0cac24d..0814bb2 100644
--- a/third_party/WebKit/Source/WebCore/ChangeLog
+++ b/third_party/WebKit/Source/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-08-29 Oliver Hunt <oliver@apple.com>
+
+ TypedArrays don't ensure that denormalised values are normalised
+ https://bugs.webkit.org/show_bug.cgi?id=67178
+
+ Reviewed by Gavin Barraclough.
+
+ Ensure that we convert singaling nans to silent nans when loading
+ from a typed array.
+
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+
2011-08-29 Alexey Proskuryakov <ap@apple.com>
DumpRenderTree should begin each test with an empty cookie store
diff --git a/third_party/WebKit/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm b/third_party/WebKit/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
index deaa5f8..0c01fc7 100644
--- a/third_party/WebKit/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
+++ b/third_party/WebKit/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
@@ -2225,7 +2225,11 @@ sub GenerateImplementation
push(@implContent, "\nJSValue ${className}::getByIndex(ExecState*, unsigned index)\n");
push(@implContent, "{\n");
push(@implContent, " ASSERT_GC_OBJECT_INHERITS(this, &s_info);\n");
- push(@implContent, " return jsNumber(static_cast<$implClassName*>(impl())->item(index));\n");
+ push(@implContent, " double result = static_cast<$implClassName*>(impl())->item(index);\n");
+ # jsNumber conversion doesn't suppress signalling NaNs, so enforce that here.
+ push(@implContent, " if (isnan(result))\n");
+ push(@implContent, " return jsNaN();\n");
+ push(@implContent, " return JSValue(result);\n");
push(@implContent, "}\n\n");
if ($interfaceName eq "HTMLCollection" or $interfaceName eq "HTMLAllCollection") {
$implIncludes{"JSNode.h"} = 1;
generated by cgit v1.1 at 2025-03-23 22:23:14 +0000