From 2d39b0e377c0896910ee49ae70082ba665faf986 Mon Sep 17 00:00:00 2001
From: Apple <opensource@apple.com>
Date: Mon, 27 Jul 2015 22:07:12 +0000
Subject: [PATCH] JavaScriptCore-7600.1.4.17.5.tar.gz

---
 ChangeLog                                     | 47 ++++++++++++++++
 Configurations/Version.xcconfig               |  4 +-
 runtime/JSObject.cpp                          |  9 +--
 .../sparse-array-entry-update-144067.js       | 56 +++++++++++++++++++
 4 files changed, 110 insertions(+), 6 deletions(-)
 create mode 100644 tests/stress/sparse-array-entry-update-144067.js

diff --git a/ChangeLog b/ChangeLog
index 097cfa1..8abbeb7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,50 @@
+2015-07-27  Babak Shafiei  <bshafiei@apple.com>
+
+        Roll out r182829.
+
+2015-07-08  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r183128. rdar://problem/21716620
+
+    2015-04-22  Mark Lam  <mark.lam@apple.com>
+
+            SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
+            https://bugs.webkit.org/show_bug.cgi?id=144067
+
+            Reviewed by Michael Saboff.
+
+            Currently, there are a few places where the JSObject that owns the
+            SparseArrayValueMap is designated as the owner of the SparseArrayEntry
+            write barrier.  This is a bug and can result in the GC collecting the
+            SparseArrayEntry even though it is being referenced by the
+            SparseArrayValueMap.  This patch fixes the bug.
+
+            * runtime/JSObject.cpp:
+            (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+            (JSC::JSObject::putIndexedDescriptor):
+            * tests/stress/sparse-array-entry-update-144067.js: Added.
+            (useMemoryToTriggerGCs):
+            (foo):
+
+2015-07-08  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r182829. rdar://problem/21716511
+
+    2015-04-14  Chris Dumez  <cdumez@apple.com>
+
+            Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+            https://bugs.webkit.org/show_bug.cgi?id=143745
+            <rdar://problem/20243916>
+
+            Reviewed by Joseph Pecoraro.
+
+            Add assertion in ContentSearchUtilities::findMagicComment() to make
+            sure the content String is not null or we would crash in
+            JSC::Yarr::interpret() later.
+
+            * inspector/ContentSearchUtilities.cpp:
+            (Inspector::ContentSearchUtilities::findMagicComment):
+
 2015-03-06  Lucas Forschler  <lforschler@apple.com>
 
         Merge r180234
diff --git a/Configurations/Version.xcconfig b/Configurations/Version.xcconfig
index 7c01e68..985194f 100644
--- a/Configurations/Version.xcconfig
+++ b/Configurations/Version.xcconfig
@@ -24,8 +24,8 @@
 MAJOR_VERSION = 600;
 MINOR_VERSION = 1;
 TINY_VERSION = 4;
-MICRO_VERSION = 16;
-NANO_VERSION = 1;
+MICRO_VERSION = 17;
+NANO_VERSION = 5;
 FULL_VERSION = $(MAJOR_VERSION).$(MINOR_VERSION).$(TINY_VERSION).$(MICRO_VERSION).$(NANO_VERSION);
 
 // The bundle version and short version string are set based on the current build configuration, see below.
diff --git a/runtime/JSObject.cpp b/runtime/JSObject.cpp
index 4bd6a6e..ebb718c 100644
--- a/runtime/JSObject.cpp
+++ b/runtime/JSObject.cpp
@@ -555,7 +555,7 @@ ArrayStorage* JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists
         // This will always be a new entry in the map, so no need to check we can write,
         // and attributes are default so no need to set them.
         if (value)
-            map->add(this, i).iterator->value.set(vm, this, value);
+            map->add(this, i).iterator->value.set(vm, map, value);
     }
 
     DeferGC deferGC(vm.heap);
@@ -1693,12 +1693,13 @@ NEVER_INLINE void JSObject::fillGetterPropertySlot(PropertySlot& slot, JSValue g
 void JSObject::putIndexedDescriptor(ExecState* exec, SparseArrayEntry* entryInMap, const PropertyDescriptor& descriptor, PropertyDescriptor& oldDescriptor)
 {
     VM& vm = exec->vm();
+    auto map = m_butterfly->arrayStorage()->m_sparseMap.get();
 
     if (descriptor.isDataDescriptor()) {
         if (descriptor.value())
-            entryInMap->set(vm, this, descriptor.value());
+            entryInMap->set(vm, map, descriptor.value());
         else if (oldDescriptor.isAccessorDescriptor())
-            entryInMap->set(vm, this, jsUndefined());
+            entryInMap->set(vm, map, jsUndefined());
         entryInMap->attributes = descriptor.attributesOverridingCurrent(oldDescriptor) & ~Accessor;
         return;
     }
@@ -1721,7 +1722,7 @@ void JSObject::putIndexedDescriptor(ExecState* exec, SparseArrayEntry* entryInMa
         if (setter)
             accessor->setSetter(vm, setter);
 
-        entryInMap->set(vm, this, accessor);
+        entryInMap->set(vm, map, accessor);
         entryInMap->attributes = descriptor.attributesOverridingCurrent(oldDescriptor) & ~ReadOnly;
         return;
     }
diff --git a/tests/stress/sparse-array-entry-update-144067.js b/tests/stress/sparse-array-entry-update-144067.js
new file mode 100644
index 0000000..24cea7c
--- /dev/null
+++ b/tests/stress/sparse-array-entry-update-144067.js
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=144067.
+// This test aims to continually override the setter in a sparse array object, and
+// trigger GCs to give it a chance to collect the newly set entry value if the bug exists. 
+// With the bug fixed, this test should not crash.
+
+var data = {};
+var sparseObj = {};
+
+for (var i = 0; i < 5; i++)
+    sparseObj[i] = i;
+
+function useMemoryToTriggerGCs() {
+    var arr = [];
+    var limit = DFGTrue() ? 10000 : 100;
+    for (var i = 0; i < limit; i++)
+        arr[i] = { a: "using" + i, b: "up" + i, c: "memory" + i };
+    return arr;
+}
+
+function foo(x) {
+    if (!x)
+        return;
+    data.textContent = sparseObj.__defineSetter__("16384", foo);
+    for (var i = 0; i < 10; i++)
+        sparseObj.__defineSetter__("" + (16384 + i), foo);
+    useMemoryToTriggerGCs();
+    sparseObj[16384] = x - 1;
+}
+
+var recursionDepthNeededToTriggerTheFailure = 100;
+foo(recursionDepthNeededToTriggerTheFailure);
-- 
2.45.2