Modified: trunk/Source/_javascript_Core/ChangeLog (98646 => 98647)
--- trunk/Source/_javascript_Core/ChangeLog 2011-10-27 22:07:32 UTC (rev 98646)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-10-27 22:19:14 UTC (rev 98647)
@@ -1,3 +1,25 @@
+2011-10-27 Filip Pizlo <[email protected]>
+
+ Crash in JSC::Structure::materializePropertyMap when viewing Garden-O-Matic
+ https://bugs.webkit.org/show_bug.cgi?id=71045
+
+ Reviewed by Geoff Garen.
+
+ Make sure that if a structure is pinned, it also has a property map.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::getterSetterTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::addPropertyWithoutTransition):
+ (JSC::Structure::removePropertyWithoutTransition):
+ (JSC::Structure::pin):
+ (JSC::Structure::copyPropertyTableForPinning):
+ * runtime/Structure.h:
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+
2011-10-27 Michael Saboff <[email protected]>
32bit build failure after r98624
Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (98646 => 98647)
--- trunk/Source/_javascript_Core/runtime/Structure.cpp 2011-10-27 22:07:32 UTC (rev 98646)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp 2011-10-27 22:19:14 UTC (rev 98647)
@@ -371,7 +371,7 @@
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
return transition;
@@ -387,7 +387,7 @@
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
if (transition->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
@@ -407,7 +407,7 @@
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
return transition;
@@ -420,7 +420,7 @@
Structure* transition = create(globalData, structure);
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->m_dictionaryKind = kind;
transition->pin();
@@ -473,7 +473,7 @@
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->m_preventExtensions = true;
transition->pin();
@@ -551,7 +551,7 @@
if (m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
specificValue = 0;
- materializePropertyMapIfNecessary(globalData);
+ materializePropertyMapIfNecessaryForPinning(globalData);
pin();
@@ -566,7 +566,7 @@
ASSERT(isUncacheableDictionary());
ASSERT(!m_enumerationCache);
- materializePropertyMapIfNecessary(globalData);
+ materializePropertyMapIfNecessaryForPinning(globalData);
pin();
size_t offset = remove(propertyName);
@@ -575,6 +575,7 @@
void Structure::pin()
{
+ ASSERT(m_propertyTable);
m_isPinnedPropertyTable = true;
m_previous.clear();
m_nameInPrevious.clear();
@@ -612,6 +613,11 @@
return adoptPtr(m_propertyTable ? new PropertyTable(globalData, owner, *m_propertyTable) : 0);
}
+PassOwnPtr<PropertyTable> Structure::copyPropertyTableForPinning(JSGlobalData& globalData, Structure* owner)
+{
+ return adoptPtr(m_propertyTable ? new PropertyTable(globalData, owner, *m_propertyTable) : new PropertyTable(m_offset == noOffset ? 0 : m_offset));
+}
+
size_t Structure::get(JSGlobalData& globalData, StringImpl* propertyName, unsigned& attributes, JSCell*& specificValue)
{
materializePropertyMapIfNecessary(globalData);
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (98646 => 98647)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2011-10-27 22:07:32 UTC (rev 98646)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2011-10-27 22:19:14 UTC (rev 98647)
@@ -230,6 +230,7 @@
void despecifyAllFunctions(JSGlobalData&);
PassOwnPtr<PropertyTable> copyPropertyTable(JSGlobalData&, Structure* owner);
+ PassOwnPtr<PropertyTable> copyPropertyTableForPinning(JSGlobalData&, Structure* owner);
void materializePropertyMap(JSGlobalData&);
void materializePropertyMapIfNecessary(JSGlobalData& globalData)
{
@@ -237,6 +238,12 @@
if (!m_propertyTable && m_previous)
materializePropertyMap(globalData);
}
+ void materializePropertyMapIfNecessaryForPinning(JSGlobalData& globalData)
+ {
+ ASSERT(structure()->classInfo() == &s_info);
+ if (!m_propertyTable)
+ materializePropertyMap(globalData);
+ }
int transitionCount() const
{
