Title: [171953] trunk/Source/_javascript_Core
- Revision
- 171953
- Author
- [email protected]
- Date
- 2014-08-01 15:49:51 -0700 (Fri, 01 Aug 2014)
Log Message
Add some structure related assertions.
<https://webkit.org/b/135523>
Reviewed by Geoffrey Garen.
Adding 2 assertions:
1. assert that we don't index pass the end of the StructureIDTable.
This should never happen, but this assertion will help catch bugs
where a bad structureID gets passed in.
2. assert that cells in MarkedBlock::callDestructor() that are not
zapped should have a non-null StructureID. This will help us catch
bugs where the other cell header flag bits get set after the cell is
zapped, thereby making the cell look like an unzapped cell but has a
null structureID.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::get):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (171952 => 171953)
--- trunk/Source/_javascript_Core/ChangeLog 2014-08-01 22:47:57 UTC (rev 171952)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-08-01 22:49:51 UTC (rev 171953)
@@ -1,3 +1,25 @@
+2014-08-01 Mark Lam <[email protected]>
+
+ Add some structure related assertions.
+ <https://webkit.org/b/135523>
+
+ Reviewed by Geoffrey Garen.
+
+ Adding 2 assertions:
+ 1. assert that we don't index pass the end of the StructureIDTable.
+ This should never happen, but this assertion will help catch bugs
+ where a bad structureID gets passed in.
+ 2. assert that cells in MarkedBlock::callDestructor() that are not
+ zapped should have a non-null StructureID. This will help us catch
+ bugs where the other cell header flag bits get set after the cell is
+ zapped, thereby making the cell look like an unzapped cell but has a
+ null structureID.
+
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::callDestructor):
+ * runtime/StructureIDTable.h:
+ (JSC::StructureIDTable::get):
+
2014-08-01 Csaba Osztrogonác <[email protected]>
URTBF after r171946 to fix non-Apple builds.
Modified: trunk/Source/_javascript_Core/heap/MarkedBlock.cpp (171952 => 171953)
--- trunk/Source/_javascript_Core/heap/MarkedBlock.cpp 2014-08-01 22:47:57 UTC (rev 171952)
+++ trunk/Source/_javascript_Core/heap/MarkedBlock.cpp 2014-08-01 22:49:51 UTC (rev 171953)
@@ -61,6 +61,7 @@
if (cell->isZapped())
return;
+ ASSERT(cell->structureID());
if (dtorType == MarkedBlock::Normal)
jsCast<JSDestructibleObject*>(cell)->classInfo()->methodTable.destroy(cell);
else
Modified: trunk/Source/_javascript_Core/runtime/StructureIDTable.h (171952 => 171953)
--- trunk/Source/_javascript_Core/runtime/StructureIDTable.h 2014-08-01 22:47:57 UTC (rev 171952)
+++ trunk/Source/_javascript_Core/runtime/StructureIDTable.h 2014-08-01 22:49:51 UTC (rev 171953)
@@ -83,6 +83,7 @@
inline Structure* StructureIDTable::get(StructureID structureID)
{
#if USE(JSVALUE64)
+ ASSERT(structureID && structureID < m_capacity);
return table()[structureID].structure;
#else
return structureID;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
