[webkit-changes] [225933] trunk/Source/JavaScriptCore

[keith_miller]

Title: [225933] trunk/Source/_javascript_Core

Revision

225933

Author

keith_mil...@apple.com

Date

2017-12-14 14:28:09 -0800 (Thu, 14 Dec 2017)

Log Message

Fix assertion in JSObject's structure setting methods
https://bugs.webkit.org/show_bug.cgi?id=180840

Reviewed by Mark Lam.

I forgot that when Typed Arrays have non-indexed properties
added to them, they call the generic code. The generic code
in turn calls the regular structure setting methods. Thus,
these assertions were invalid and we should just avoid setting
the indexing mask if we have a Typed Array.

* runtime/JSObject.h:
(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (225932 => 225933)

--- trunk/Source/_javascript_Core/ChangeLog	2017-12-14 22:22:56 UTC (rev 225932)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-12-14 22:28:09 UTC (rev 225933)
@@ -1,3 +1,20 @@
+2017-12-14  Keith Miller  <keith_mil...@apple.com>
+
+        Fix assertion in JSObject's structure setting methods
+        https://bugs.webkit.org/show_bug.cgi?id=180840
+
+        Reviewed by Mark Lam.
+
+        I forgot that when Typed Arrays have non-indexed properties
+        added to them, they call the generic code. The generic code
+        in turn calls the regular structure setting methods. Thus,
+        these assertions were invalid and we should just avoid setting
+        the indexing mask if we have a Typed Array.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+
 2017-12-14  Michael Saboff  <msab...@apple.com>
 
         REGRESSION (r225695): Repro crash on yahoo login page

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (225932 => 225933)

--- trunk/Source/_javascript_Core/runtime/JSObject.h	2017-12-14 22:22:56 UTC (rev 225932)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2017-12-14 22:28:09 UTC (rev 225933)
@@ -1265,8 +1265,8 @@
 
 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
 {
-    ASSERT(!structure()->hijacksIndexingHeader());
-    m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!structure(vm)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
         WTF::storeStoreFence();
@@ -1280,8 +1280,8 @@
 
 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
 {
-    ASSERT(!vm.getStructure(oldStructureID)->hijacksIndexingHeader());
-    m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!vm.getStructure(oldStructureID)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
         setStructureIDDirectly(nuke(oldStructureID));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes