Skip to site navigation (Press enter)

[webkit-changes] [243576] branches/safari-607-branch

alancoon Wed, 27 Mar 2019 16:44:55 -0700

Title: [243576] branches/safari-607-branch

Revision: 243576
Author: alanc...@apple.com
Date: 2019-03-27 16:43:48 -0700 (Wed, 27 Mar 2019)

Log Message

Cherry-pick r243069. rdar://problem/49308056


    Structure::flattenDictionary() should clear unused property slots.
    https://bugs.webkit.org/show_bug.cgi?id=195871
    <rdar://problem/48959497>

    Reviewed by Michael Saboff.

    JSTests:

    * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.

    Source/_javascript_Core:

    It currently attempts to do this but fails because it's actually clearing up the
    preCapacity region instead.  The fix is simply to account for the preCapacity
    when computing the start address of the property slots.

    * runtime/Structure.cpp:
    (JSC::Structure::flattenDictionaryStructure):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243069 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-607-branch/JSTests/ChangeLog
branches/safari-607-branch/Source/_javascript_Core/ChangeLog
branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp

Added Paths

branches/safari-607-branch/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js

Diff

Modified: branches/safari-607-branch/JSTests/ChangeLog (243575 => 243576)


--- branches/safari-607-branch/JSTests/ChangeLog	2019-03-27 23:43:46 UTC (rev 243575)
+++ branches/safari-607-branch/JSTests/ChangeLog	2019-03-27 23:43:48 UTC (rev 243576)
@@ -1,5 +1,42 @@
 2019-03-27  Alan Coon  <alanc...@apple.com>
 
+        Cherry-pick r243069. rdar://problem/49308056
+
+    Structure::flattenDictionary() should clear unused property slots.
+    https://bugs.webkit.org/show_bug.cgi?id=195871
+    <rdar://problem/48959497>
+    
+    Reviewed by Michael Saboff.
+    
+    JSTests:
+    
+    * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+    
+    Source/_javascript_Core:
+    
+    It currently attempts to do this but fails because it's actually clearing up the
+    preCapacity region instead.  The fix is simply to account for the preCapacity
+    when computing the start address of the property slots.
+    
+    * runtime/Structure.cpp:
+    (JSC::Structure::flattenDictionaryStructure):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243069 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-03-18  Mark Lam  <mark....@apple.com>
+
+            Structure::flattenDictionary() should clear unused property slots.
+            https://bugs.webkit.org/show_bug.cgi?id=195871
+            <rdar://problem/48959497>
+
+            Reviewed by Michael Saboff.
+
+            * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+
+2019-03-27  Alan Coon  <alanc...@apple.com>
+
         Cherry-pick r242838. rdar://problem/49307991
 
     REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes

Added: branches/safari-607-branch/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js (0 => 243576)


--- branches/safari-607-branch/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js	                        (rev 0)
+++ branches/safari-607-branch/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js	2019-03-27 23:43:48 UTC (rev 243576)
@@ -0,0 +1,11 @@
+// This test should not crash.
+
+var arr = [];
+arr.x = 0;
+arr.y = 0;
+delete arr["x"];
+
+for (var i = 0; i < 2; ++i)
+    arr.unshift(i);
+
+arr.z = 42;

Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (243575 => 243576)


--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog	2019-03-27 23:43:46 UTC (rev 243575)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog	2019-03-27 23:43:48 UTC (rev 243576)
@@ -1,5 +1,47 @@
 2019-03-27  Alan Coon  <alanc...@apple.com>
 
+        Cherry-pick r243069. rdar://problem/49308056
+
+    Structure::flattenDictionary() should clear unused property slots.
+    https://bugs.webkit.org/show_bug.cgi?id=195871
+    <rdar://problem/48959497>
+    
+    Reviewed by Michael Saboff.
+    
+    JSTests:
+    
+    * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+    
+    Source/_javascript_Core:
+    
+    It currently attempts to do this but fails because it's actually clearing up the
+    preCapacity region instead.  The fix is simply to account for the preCapacity
+    when computing the start address of the property slots.
+    
+    * runtime/Structure.cpp:
+    (JSC::Structure::flattenDictionaryStructure):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243069 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-03-18  Mark Lam  <mark....@apple.com>
+
+            Structure::flattenDictionary() should clear unused property slots.
+            https://bugs.webkit.org/show_bug.cgi?id=195871
+            <rdar://problem/48959497>
+
+            Reviewed by Michael Saboff.
+
+            It currently attempts to do this but fails because it's actually clearing up the
+            preCapacity region instead.  The fix is simply to account for the preCapacity
+            when computing the start address of the property slots.
+
+            * runtime/Structure.cpp:
+            (JSC::Structure::flattenDictionaryStructure):
+
+2019-03-27  Alan Coon  <alanc...@apple.com>
+
         Cherry-pick r242838. rdar://problem/49307991
 
     REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes

Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp (243575 => 243576)


--- branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp	2019-03-27 23:43:46 UTC (rev 243575)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp	2019-03-27 23:43:48 UTC (rev 243576)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -777,10 +777,10 @@
             (inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
 
         Butterfly* butterfly = object->butterfly();
-        memset(
-            butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
-            0,
-            (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+        size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
+        void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
+        void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
+        memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes