Title: [243069] trunk
- Revision
- 243069
- Author
- [email protected]
- Date
- 2019-03-18 09:18:10 -0700 (Mon, 18 Mar 2019)
Log Message
Structure::flattenDictionary() should clear unused property slots.
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>
Reviewed by Michael Saboff.
JSTests:
* stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
Source/_javascript_Core:
It currently attempts to do this but fails because it's actually clearing up the
preCapacity region instead. The fix is simply to account for the preCapacity
when computing the start address of the property slots.
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (243068 => 243069)
--- trunk/JSTests/ChangeLog 2019-03-18 15:44:09 UTC (rev 243068)
+++ trunk/JSTests/ChangeLog 2019-03-18 16:18:10 UTC (rev 243069)
@@ -1,3 +1,13 @@
+2019-03-18 Mark Lam <[email protected]>
+
+ Structure::flattenDictionary() should clear unused property slots.
+ https://bugs.webkit.org/show_bug.cgi?id=195871
+ <rdar://problem/48959497>
+
+ Reviewed by Michael Saboff.
+
+ * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+
2019-03-15 Mark Lam <[email protected]>
Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
Added: trunk/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js (0 => 243069)
--- trunk/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js (rev 0)
+++ trunk/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js 2019-03-18 16:18:10 UTC (rev 243069)
@@ -0,0 +1,11 @@
+// This test should not crash.
+
+var arr = [];
+arr.x = 0;
+arr.y = 0;
+delete arr["x"];
+
+for (var i = 0; i < 2; ++i)
+ arr.unshift(i);
+
+arr.z = 42;
Modified: trunk/Source/_javascript_Core/ChangeLog (243068 => 243069)
--- trunk/Source/_javascript_Core/ChangeLog 2019-03-18 15:44:09 UTC (rev 243068)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-03-18 16:18:10 UTC (rev 243069)
@@ -1,3 +1,18 @@
+2019-03-18 Mark Lam <[email protected]>
+
+ Structure::flattenDictionary() should clear unused property slots.
+ https://bugs.webkit.org/show_bug.cgi?id=195871
+ <rdar://problem/48959497>
+
+ Reviewed by Michael Saboff.
+
+ It currently attempts to do this but fails because it's actually clearing up the
+ preCapacity region instead. The fix is simply to account for the preCapacity
+ when computing the start address of the property slots.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::flattenDictionaryStructure):
+
2019-03-18 Robin Morisset <[email protected]>
B3 should reduce Shl(<S|Z>Shr(@x, @const), @const) to BitAnd(@x, -(1<<@const))
Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (243068 => 243069)
--- trunk/Source/_javascript_Core/runtime/Structure.cpp 2019-03-18 15:44:09 UTC (rev 243068)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp 2019-03-18 16:18:10 UTC (rev 243069)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -778,10 +778,10 @@
(inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
Butterfly* butterfly = object->butterfly();
- memset(
- butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
- 0,
- (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+ size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
+ void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
+ void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
+ memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
checkOffsetConsistency();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
