Title: [96354] trunk/Source/_javascript_Core
- Revision
- 96354
- Author
- [email protected]
- Date
- 2011-09-29 13:45:52 -0700 (Thu, 29 Sep 2011)
Log Message
Structure transitions involving many (> 64) properties sometimes cause structure corruption
https://bugs.webkit.org/show_bug.cgi?id=69102
Reviewed by Darin Adler.
Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
don't lead to the dictionary kind being forgotten.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/Structure.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (96353 => 96354)
--- trunk/Source/_javascript_Core/ChangeLog 2011-09-29 20:31:41 UTC (rev 96353)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-09-29 20:45:52 UTC (rev 96354)
@@ -1,3 +1,17 @@
+2011-09-29 Filip Pizlo <[email protected]>
+
+ Structure transitions involving many (> 64) properties sometimes cause structure corruption
+ https://bugs.webkit.org/show_bug.cgi?id=69102
+
+ Reviewed by Darin Adler.
+
+ Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
+ don't lead to the dictionary kind being forgotten.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ * runtime/Structure.h:
+
2011-09-29 Yuqiang Xian <[email protected]>
DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT
Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (96353 => 96354)
--- trunk/Source/_javascript_Core/runtime/Structure.cpp 2011-09-29 20:31:41 UTC (rev 96353)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp 2011-09-29 20:45:52 UTC (rev 96354)
@@ -202,7 +202,7 @@
, m_classInfo(previous->m_classInfo)
, m_propertyStorageCapacity(previous->m_propertyStorageCapacity)
, m_offset(noOffset)
- , m_dictionaryKind(NoneDictionaryKind)
+ , m_dictionaryKind(previous->m_dictionaryKind)
, m_isPinnedPropertyTable(false)
, m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
, m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (96353 => 96354)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2011-09-29 20:31:41 UTC (rev 96353)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2011-09-29 20:45:52 UTC (rev 96354)
@@ -237,9 +237,9 @@
bool isValid(ExecState*, StructureChain* cachedPrototypeChain) const;
- static const signed char s_maxTransitionLength = 64;
+ static const int s_maxTransitionLength = 64;
- static const signed char noOffset = -1;
+ static const int noOffset = -1;
static const unsigned maxSpecificFunctionThrashCount = 3;
@@ -264,7 +264,7 @@
uint32_t m_propertyStorageCapacity;
// m_offset does not account for anonymous slots
- signed char m_offset;
+ int m_offset;
unsigned m_dictionaryKind : 2;
bool m_isPinnedPropertyTable : 1;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
