Title: [226416] trunk/Source/_javascript_Core
- Revision
- 226416
- Author
- [email protected]
- Date
- 2018-01-04 12:58:31 -0800 (Thu, 04 Jan 2018)
Log Message
Array Storage operations sometimes did not update the indexing mask correctly.
https://bugs.webkit.org/show_bug.cgi?id=181301
Reviewed by Mark Lam.
I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (226415 => 226416)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-04 20:56:43 UTC (rev 226415)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-04 20:58:31 UTC (rev 226416)
@@ -1,3 +1,17 @@
+2018-01-04 Keith Miller <[email protected]>
+
+ Array Storage operations sometimes did not update the indexing mask correctly.
+ https://bugs.webkit.org/show_bug.cgi?id=181301
+
+ Reviewed by Mark Lam.
+
+ I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::shiftCountWithArrayStorage):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::increaseVectorLength):
+
2018-01-04 Yusuke Suzuki <[email protected]>
[DFG] Define defs for MapSet/SetAdd to participate in CSE
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (226415 => 226416)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-01-04 20:56:43 UTC (rev 226415)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-01-04 20:58:31 UTC (rev 226416)
@@ -835,7 +835,6 @@
// the start of the Butterfly, which needs to point at the first indexed property in the used
// portion of the vector.
Butterfly* butterfly = this->butterfly()->shift(structure(), count);
- setButterfly(vm, butterfly);
storage = butterfly->arrayStorage();
storage->m_indexBias += count;
@@ -842,6 +841,7 @@
// Since we're consuming part of the vector by moving its beginning to the left,
// we need to modify the vector length appropriately.
storage->setVectorLength(vectorLength - count);
+ setButterfly(vm, butterfly);
} else {
// The number of elements before the shift region is greater than or equal to the number
// of elements after the shift region, so we move the elements after the shift region to the left.
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (226415 => 226416)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-01-04 20:56:43 UTC (rev 226415)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-01-04 20:58:31 UTC (rev 226416)
@@ -3135,6 +3135,7 @@
for (unsigned i = vectorLength; i < availableVectorLength; ++i)
storage->m_vector[i].clear();
storage->setVectorLength(availableVectorLength);
+ m_butterflyIndexingMask = storage->butterfly()->computeIndexingMask();
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
