Title: [143269] trunk
- Revision
- 143269
- Author
- [email protected]
- Date
- 2013-02-18 15:21:06 -0800 (Mon, 18 Feb 2013)
Log Message
Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
https://bugs.webkit.org/show_bug.cgi?id=110155
<rdar://problem/13233773>
Source/_javascript_Core:
Reviewed by Mark Rowe.
This was a rookie mistake. It was doing:
for (blah) {
m_offset = foo // foo's monotonically increase in the loop
}
as a way of computing max offset for all of the properties. Except what if the loop doesn't
execute because there are no properties? Well, then, you're going to have a bogus m_offset.
The solution is to initialize m_offset at the top of the loop.
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
LayoutTests:
Reviewed by Mark Rowe.
* fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt: Added.
* fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (143268 => 143269)
--- trunk/LayoutTests/ChangeLog 2013-02-18 23:15:51 UTC (rev 143268)
+++ trunk/LayoutTests/ChangeLog 2013-02-18 23:21:06 UTC (rev 143269)
@@ -1,3 +1,16 @@
+2013-02-18 Filip Pizlo <[email protected]>
+
+ Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
+ https://bugs.webkit.org/show_bug.cgi?id=110155
+ <rdar://problem/13233773>
+
+ Reviewed by Mark Rowe.
+
+ * fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt: Added.
+ * fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html: Added.
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js: Added.
+
2013-02-18 Stephen Chenney <[email protected]>
feFlood incorrectly applied color-interpolation-filters
Added: trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt (0 => 143269)
--- trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt 2013-02-18 23:21:06 UTC (rev 143269)
@@ -0,0 +1,109 @@
+Tests that deleting all properties from an object and then flattening it doesn't cause inconsistencies.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS p.f is 42
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html (0 => 143269)
--- trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html (rev 0)
+++ trunk/LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html 2013-02-18 23:21:06 UTC (rev 143269)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/fast/js/jsc-test-list (143268 => 143269)
--- trunk/LayoutTests/fast/js/jsc-test-list 2013-02-18 23:15:51 UTC (rev 143268)
+++ trunk/LayoutTests/fast/js/jsc-test-list 2013-02-18 23:21:06 UTC (rev 143269)
@@ -207,6 +207,7 @@
fast/js/exception-with-handler-inside-eval-with-dynamic-scope
fast/js/excessive-comma-usage
fast/js/finally-codegen-failure
+fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted
fast/js/for-in-avoid-duplicates
fast/js/for-in-cached
fast/js/for-in-exeception
Added: trunk/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js (0 => 143269)
--- trunk/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js 2013-02-18 23:21:06 UTC (rev 143269)
@@ -0,0 +1,20 @@
+description(
+"Tests that deleting all properties from an object and then flattening it doesn't cause inconsistencies."
+);
+
+var o = {};
+
+for (var i = 0; i < 1000; ++i)
+ o["a" + i] = i;
+
+for (var i = 0; i < 1000; ++i)
+ delete o["a" + i];
+
+var p = {};
+p.__proto__ = o;
+
+var q = {f:42};
+o.__proto__ = q;
+
+for (var i = 0; i < 100; ++i)
+ shouldBe("p.f", "42");
Modified: trunk/Source/_javascript_Core/ChangeLog (143268 => 143269)
--- trunk/Source/_javascript_Core/ChangeLog 2013-02-18 23:15:51 UTC (rev 143268)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-02-18 23:21:06 UTC (rev 143269)
@@ -1,3 +1,25 @@
+2013-02-18 Filip Pizlo <[email protected]>
+
+ Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
+ https://bugs.webkit.org/show_bug.cgi?id=110155
+ <rdar://problem/13233773>
+
+ Reviewed by Mark Rowe.
+
+ This was a rookie mistake. It was doing:
+
+ for (blah) {
+ m_offset = foo // foo's monotonically increase in the loop
+ }
+
+ as a way of computing max offset for all of the properties. Except what if the loop doesn't
+ execute because there are no properties? Well, then, you're going to have a bogus m_offset.
+
+ The solution is to initialize m_offset at the top of the loop.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::flattenDictionaryStructure):
+
2013-02-18 Balazs Kilvady <[email protected]>
MIPS DFG implementation.
Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (143268 => 143269)
--- trunk/Source/_javascript_Core/runtime/Structure.cpp 2013-02-18 23:15:51 UTC (rev 143268)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp 2013-02-18 23:21:06 UTC (rev 143269)
@@ -643,6 +643,7 @@
// Copies out our values from their hashed locations, compacting property table offsets as we go.
unsigned i = 0;
PropertyTable::iterator end = m_propertyTable->end();
+ m_offset = invalidOffset;
for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter, ++i) {
values[i] = object->getDirect(iter->offset);
m_offset = iter->offset = offsetForPropertyNumber(i, m_inlineCapacity);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
