Title: [141029] trunk/Source/_javascript_Core
- Revision
- 141029
- Author
- [email protected]
- Date
- 2013-01-28 17:22:12 -0800 (Mon, 28 Jan 2013)
Log Message
Add more assertions to the property storage use in arrays
https://bugs.webkit.org/show_bug.cgi?id=107728
Reviewed by Filip Pizlo.
Add a bunch of assertions to array and object butterfly
usage. This should make debugging somewhat easier.
I also converted a couple of assertions to release asserts
as they were so low cost it seemed a sensible thing to do.
* runtime/JSArray.cpp:
(JSC::JSArray::sortVector):
(JSC::JSArray::compactForSorting):
* runtime/JSObject.h:
(JSC::JSObject::getHolyIndexQuickly):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (141028 => 141029)
--- trunk/Source/_javascript_Core/ChangeLog 2013-01-29 01:01:37 UTC (rev 141028)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-01-29 01:22:12 UTC (rev 141029)
@@ -1,3 +1,22 @@
+2013-01-28 Oliver Hunt <[email protected]>
+
+ Add more assertions to the property storage use in arrays
+ https://bugs.webkit.org/show_bug.cgi?id=107728
+
+ Reviewed by Filip Pizlo.
+
+ Add a bunch of assertions to array and object butterfly
+ usage. This should make debugging somewhat easier.
+
+ I also converted a couple of assertions to release asserts
+ as they were so low cost it seemed a sensible thing to do.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::sortVector):
+ (JSC::JSArray::compactForSorting):
+ * runtime/JSObject.h:
+ (JSC::JSObject::getHolyIndexQuickly):
+
2013-01-28 Adam Barth <[email protected]>
Remove webkitNotifications.createHTMLNotification
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (141028 => 141029)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2013-01-29 01:01:37 UTC (rev 141028)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2013-01-29 01:22:12 UTC (rev 141029)
@@ -1347,7 +1347,7 @@
// Iterate over the array, ignoring missing values, counting undefined ones, and inserting all other ones into the tree.
for (; numDefined < usedVectorLength; ++numDefined) {
- if (numDefined > m_butterfly->vectorLength())
+ if (numDefined >= m_butterfly->vectorLength())
break;
JSValue v = getHolyIndexQuickly(numDefined);
if (!v || v.isUndefined())
@@ -1356,7 +1356,7 @@
tree.insert(numDefined);
}
for (unsigned i = numDefined; i < usedVectorLength; ++i) {
- if (i > m_butterfly->vectorLength())
+ if (i >= m_butterfly->vectorLength())
break;
JSValue v = getHolyIndexQuickly(i);
if (v) {
@@ -1384,6 +1384,7 @@
iter.start_iter_least(tree);
JSGlobalData& globalData = exec->globalData();
for (unsigned i = 0; i < elementsToExtractThreshold; ++i) {
+ ASSERT(i < butterfly()->vectorLength());
if (structure()->indexingType() == ArrayWithDouble)
butterfly()->contiguousDouble()[i] = tree.abstractor().m_nodes[*iter].value.asNumber();
else
@@ -1398,12 +1399,15 @@
break;
default:
- for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i)
+ for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i) {
+ ASSERT(i < butterfly()->vectorLength());
currentIndexingData()[i].setUndefined();
+ }
}
// Ensure that unused values in the vector are zeroed out.
for (unsigned i = undefinedElementsThreshold; i < clearElementsThreshold; ++i) {
+ ASSERT(i < butterfly()->vectorLength());
if (structure()->indexingType() == ArrayWithDouble)
butterfly()->contiguousDouble()[i] = QNaN;
else
@@ -1533,6 +1537,7 @@
vector = 0;
vectorEnd = 0;
for (; i < m_butterfly->publicLength(); ++i) {
+ ASSERT(i < butterfly()->vectorLength());
double v = m_butterfly->contiguousDouble()[i];
if (v != v)
break;
@@ -1578,6 +1583,7 @@
unsigned numUndefined = 0;
for (; numDefined < myRelevantLength; ++numDefined) {
+ ASSERT(numDefined < m_butterfly->vectorLength());
if (indexingType == ArrayWithInt32) {
JSValue v = m_butterfly->contiguousInt32()[numDefined].get();
if (!v)
@@ -1597,11 +1603,13 @@
}
for (unsigned i = numDefined; i < myRelevantLength; ++i) {
+ ASSERT(i < m_butterfly->vectorLength());
if (indexingType == ArrayWithInt32) {
JSValue v = m_butterfly->contiguousInt32()[i].get();
if (!v)
continue;
ASSERT(v.isInt32());
+ ASSERT(numDefined < m_butterfly->vectorLength());
m_butterfly->contiguousInt32()[numDefined++].setWithoutWriteBarrier(v);
continue;
}
@@ -1609,6 +1617,7 @@
double v = m_butterfly->contiguousDouble()[i];
if (v != v)
continue;
+ ASSERT(numDefined < m_butterfly->vectorLength());
m_butterfly->contiguousDouble()[numDefined++] = v;
continue;
}
@@ -1616,28 +1625,33 @@
if (v) {
if (v.isUndefined())
++numUndefined;
- else
+ else {
+ ASSERT(numDefined < m_butterfly->vectorLength());
indexingData<indexingType>()[numDefined++].setWithoutWriteBarrier(v);
+ }
}
}
newRelevantLength = numDefined + numUndefined;
if (hasArrayStorage(indexingType))
- ASSERT(!arrayStorage()->m_sparseMap);
+ RELEASE_ASSERT(!arrayStorage()->m_sparseMap);
switch (indexingType) {
case ArrayWithInt32:
case ArrayWithDouble:
- ASSERT(numDefined == newRelevantLength);
+ RELEASE_ASSERT(numDefined == newRelevantLength);
break;
default:
- for (unsigned i = numDefined; i < newRelevantLength; ++i)
+ for (unsigned i = numDefined; i < newRelevantLength; ++i) {
+ ASSERT(i < m_butterfly->vectorLength());
indexingData<indexingType>()[i].setUndefined();
+ }
break;
}
for (unsigned i = newRelevantLength; i < myRelevantLength; ++i) {
+ ASSERT(i < m_butterfly->vectorLength());
if (indexingType == ArrayWithDouble)
m_butterfly->contiguousDouble()[i] = QNaN;
else
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (141028 => 141029)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2013-01-29 01:01:37 UTC (rev 141028)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2013-01-29 01:22:12 UTC (rev 141029)
@@ -845,6 +845,7 @@
JSValue getHolyIndexQuickly(unsigned i)
{
+ ASSERT(i < m_butterfly->vectorLength());
switch (structure()->indexingType()) {
case ALL_INT32_INDEXING_TYPES:
case ALL_CONTIGUOUS_INDEXING_TYPES:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
