[webkit-changes] [137961] trunk/Source/JavaScriptCore

Mon, 17 Dec 2012 17:02:09 -0800

Title: [137961] trunk/Source/_javascript_Core
Revision
137961
Author
[email protected]
Date
2012-12-17 17:03:54 -0800 (Mon, 17 Dec 2012)

Log Message

Butterfly::growArrayRight shouldn't be called on null Butterfly objects
https://bugs.webkit.org/show_bug.cgi?id=105221

Reviewed by Filip Pizlo.

Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 
objects purely by coincidence. We should add a new static function that null checks the old 
Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 
use in the couple of places in JSObject that expect such behavior to work.

* runtime/Butterfly.h:
(Butterfly):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createOrGrowArrayRight):
(JSC):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (137960 => 137961)


--- trunk/Source/_javascript_Core/ChangeLog	2012-12-18 00:59:26 UTC (rev 137960)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-12-18 01:03:54 UTC (rev 137961)
@@ -1,3 +1,24 @@
+2012-12-17  Mark Hahnenberg  <[email protected]>
+
+        Butterfly::growArrayRight shouldn't be called on null Butterfly objects
+        https://bugs.webkit.org/show_bug.cgi?id=105221
+
+        Reviewed by Filip Pizlo.
+
+        Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 
+        objects purely by coincidence. We should add a new static function that null checks the old 
+        Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 
+        use in the couple of places in JSObject that expect such behavior to work.
+
+        * runtime/Butterfly.h:
+        (Butterfly):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createOrGrowArrayRight):
+        (JSC):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+
 2012-12-17  Filip Pizlo  <[email protected]>
 
         _javascript_ integer overflow

Modified: trunk/Source/_javascript_Core/runtime/Butterfly.h (137960 => 137961)


--- trunk/Source/_javascript_Core/runtime/Butterfly.h	2012-12-18 00:59:26 UTC (rev 137960)
+++ trunk/Source/_javascript_Core/runtime/Butterfly.h	2012-12-18 01:03:54 UTC (rev 137961)
@@ -110,7 +110,9 @@
 
     void* base(size_t preCapacity, size_t propertyCapacity) { return propertyStorage() - propertyCapacity - preCapacity; }
     void* base(Structure*);
-    
+
+    static Butterfly* createOrGrowArrayRight(Butterfly*, JSGlobalData&, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes); 
+
     // The butterfly reallocation methods perform the reallocation itself but do not change any
     // of the meta-data to reflect that the reallocation occurred. Note that this set of
     // methods is not exhaustive and is not intended to encapsulate all possible allocation

Modified: trunk/Source/_javascript_Core/runtime/ButterflyInlines.h (137960 => 137961)


--- trunk/Source/_javascript_Core/runtime/ButterflyInlines.h	2012-12-18 00:59:26 UTC (rev 137960)
+++ trunk/Source/_javascript_Core/runtime/ButterflyInlines.h	2012-12-18 01:03:54 UTC (rev 137961)
@@ -99,6 +99,13 @@
         globalData, oldStructure, oldStructure->outOfLineCapacity(), newPropertyCapacity);
 }
 
+inline Butterfly* Butterfly::createOrGrowArrayRight(Butterfly* oldButterfly, JSGlobalData& globalData, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes)
+{
+    if (!oldButterfly)
+        return create(globalData, 0, propertyCapacity, true, IndexingHeader(), newIndexingPayloadSizeInBytes);
+    return oldButterfly->growArrayRight(globalData, oldStructure, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes, newIndexingPayloadSizeInBytes);
+}
+
 inline Butterfly* Butterfly::growArrayRight(JSGlobalData& globalData, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes)
 {
     ASSERT_UNUSED(oldStructure, !indexingHeader()->preCapacity(oldStructure));

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (137960 => 137961)


--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-12-18 00:59:26 UTC (rev 137960)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-12-18 01:03:54 UTC (rev 137961)
@@ -610,7 +610,7 @@
     ASSERT(!structure()->needsSlowPutIndexing());
     ASSERT(!indexingShouldBeSparse());
     unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
-    Butterfly* newButterfly = m_butterfly->growArrayRight(
+    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(m_butterfly, 
         globalData, structure(), structure()->outOfLineCapacity(), false, 0,
         elementSize * vectorLength);
     newButterfly->setPublicLength(length);
@@ -656,7 +656,7 @@
 {
     IndexingType oldType = structure()->indexingType();
     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
-    Butterfly* newButterfly = m_butterfly->growArrayRight(
+    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(m_butterfly, 
         globalData, structure(), structure()->outOfLineCapacity(), false, 0,
         ArrayStorage::sizeFor(vectorLength));
     if (!newButterfly)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to