Title: [226422] tags/Safari-605.1.19/Source/_javascript_Core
- Revision
- 226422
- Author
- [email protected]
- Date
- 2018-01-04 13:53:37 -0800 (Thu, 04 Jan 2018)
Log Message
Cherry-pick r226416. rdar://problem/36275933
Modified Paths
Diff
Modified: tags/Safari-605.1.19/Source/_javascript_Core/ChangeLog (226421 => 226422)
--- tags/Safari-605.1.19/Source/_javascript_Core/ChangeLog 2018-01-04 21:53:35 UTC (rev 226421)
+++ tags/Safari-605.1.19/Source/_javascript_Core/ChangeLog 2018-01-04 21:53:37 UTC (rev 226422)
@@ -1,5 +1,23 @@
2018-01-04 Jason Marcell <[email protected]>
+ Cherry-pick r226416. rdar://problem/36275933
+
+ 2018-01-04 Keith Miller <[email protected]>
+
+ Array Storage operations sometimes did not update the indexing mask correctly.
+ https://bugs.webkit.org/show_bug.cgi?id=181301
+
+ Reviewed by Mark Lam.
+
+ I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::shiftCountWithArrayStorage):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::increaseVectorLength):
+
+2018-01-04 Jason Marcell <[email protected]>
+
Cherry-pick r226367. rdar://problem/36166729
2018-01-03 Per Arne Vollan <[email protected]>
Modified: tags/Safari-605.1.19/Source/_javascript_Core/runtime/JSArray.cpp (226421 => 226422)
--- tags/Safari-605.1.19/Source/_javascript_Core/runtime/JSArray.cpp 2018-01-04 21:53:35 UTC (rev 226421)
+++ tags/Safari-605.1.19/Source/_javascript_Core/runtime/JSArray.cpp 2018-01-04 21:53:37 UTC (rev 226422)
@@ -835,7 +835,6 @@
// the start of the Butterfly, which needs to point at the first indexed property in the used
// portion of the vector.
Butterfly* butterfly = this->butterfly()->shift(structure(), count);
- setButterfly(vm, butterfly);
storage = butterfly->arrayStorage();
storage->m_indexBias += count;
@@ -842,6 +841,7 @@
// Since we're consuming part of the vector by moving its beginning to the left,
// we need to modify the vector length appropriately.
storage->setVectorLength(vectorLength - count);
+ setButterfly(vm, butterfly);
} else {
// The number of elements before the shift region is greater than or equal to the number
// of elements after the shift region, so we move the elements after the shift region to the left.
Modified: tags/Safari-605.1.19/Source/_javascript_Core/runtime/JSObject.cpp (226421 => 226422)
--- tags/Safari-605.1.19/Source/_javascript_Core/runtime/JSObject.cpp 2018-01-04 21:53:35 UTC (rev 226421)
+++ tags/Safari-605.1.19/Source/_javascript_Core/runtime/JSObject.cpp 2018-01-04 21:53:37 UTC (rev 226422)
@@ -3135,6 +3135,7 @@
for (unsigned i = vectorLength; i < availableVectorLength; ++i)
storage->m_vector[i].clear();
storage->setVectorLength(availableVectorLength);
+ m_butterflyIndexingMask = storage->butterfly()->computeIndexingMask();
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
