Diff
Modified: trunk/LayoutTests/ChangeLog (192765 => 192766)
--- trunk/LayoutTests/ChangeLog 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/LayoutTests/ChangeLog 2015-11-24 21:37:37 UTC (rev 192766)
@@ -1,3 +1,26 @@
+2015-11-24 Commit Queue <[email protected]>
+
+ Unreviewed, rolling out r192536, r192722, and r192743.
+ https://bugs.webkit.org/show_bug.cgi?id=151593
+
+ Still causing trouble. (Requested by kling on #webkit).
+
+ Reverted changesets:
+
+ "[JSC] JSPropertyNameEnumerator could be destructorless."
+ https://bugs.webkit.org/show_bug.cgi?id=151242
+ http://trac.webkit.org/changeset/192536
+
+ "REGRESSION(r192536): Null pointer dereference in
+ JSPropertyNameEnumerator::visitChildren()."
+ https://bugs.webkit.org/show_bug.cgi?id=151495
+ http://trac.webkit.org/changeset/192722
+
+ "REGRESSION(r192536): Null pointer dereference in
+ JSPropertyNameEnumerator::visitChildren()."
+ https://bugs.webkit.org/show_bug.cgi?id=151495
+ http://trac.webkit.org/changeset/192743
+
2015-11-24 Xabier Rodriguez Calvar <[email protected]>
[Streams API] Implement pipeTo method in readable Stream
Deleted: trunk/LayoutTests/js/property-name-enumerator-gc-151495-expected.txt (192765 => 192766)
--- trunk/LayoutTests/js/property-name-enumerator-gc-151495-expected.txt 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/LayoutTests/js/property-name-enumerator-gc-151495-expected.txt 2015-11-24 21:37:37 UTC (rev 192766)
@@ -1,9 +0,0 @@
-Regression test for https://webkit.org/b/151495. - This test should not crash.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Deleted: trunk/LayoutTests/js/property-name-enumerator-gc-151495.html (192765 => 192766)
--- trunk/LayoutTests/js/property-name-enumerator-gc-151495.html 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/LayoutTests/js/property-name-enumerator-gc-151495.html 2015-11-24 21:37:37 UTC (rev 192766)
@@ -1,10 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src=""
-</head>
-<body>
-<script src=""
-<script src=""
-</body>
-</html>
Deleted: trunk/LayoutTests/js/script-tests/property-name-enumerator-gc-151495.js (192765 => 192766)
--- trunk/LayoutTests/js/script-tests/property-name-enumerator-gc-151495.js 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/LayoutTests/js/script-tests/property-name-enumerator-gc-151495.js 2015-11-24 21:37:37 UTC (rev 192766)
@@ -1,9 +0,0 @@
-description("Regression test for https://webkit.org/b/151495. - This test should not crash.");
-
-var x = { a: 1, b: 2, c: 3, d: 4, e: 5, f: 6 };
-for (i = 0; i < 2000; ++i) {
- // Keep adding new properties...
- x["foo" + i] = 1;
- // ...to force creation of new JSPropertyNameEnumerator objects.
- for (j in x) { }
-}
Modified: trunk/Source/_javascript_Core/ChangeLog (192765 => 192766)
--- trunk/Source/_javascript_Core/ChangeLog 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-11-24 21:37:37 UTC (rev 192766)
@@ -1,3 +1,26 @@
+2015-11-24 Commit Queue <[email protected]>
+
+ Unreviewed, rolling out r192536, r192722, and r192743.
+ https://bugs.webkit.org/show_bug.cgi?id=151593
+
+ Still causing trouble. (Requested by kling on #webkit).
+
+ Reverted changesets:
+
+ "[JSC] JSPropertyNameEnumerator could be destructorless."
+ https://bugs.webkit.org/show_bug.cgi?id=151242
+ http://trac.webkit.org/changeset/192536
+
+ "REGRESSION(r192536): Null pointer dereference in
+ JSPropertyNameEnumerator::visitChildren()."
+ https://bugs.webkit.org/show_bug.cgi?id=151495
+ http://trac.webkit.org/changeset/192722
+
+ "REGRESSION(r192536): Null pointer dereference in
+ JSPropertyNameEnumerator::visitChildren()."
+ https://bugs.webkit.org/show_bug.cgi?id=151495
+ http://trac.webkit.org/changeset/192743
+
2015-11-23 Brian Burg <[email protected]>
Unreviewed, fix the Mac CMake build after r192793.
Modified: trunk/Source/_javascript_Core/heap/CopyToken.h (192765 => 192766)
--- trunk/Source/_javascript_Core/heap/CopyToken.h 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/Source/_javascript_Core/heap/CopyToken.h 2015-11-24 21:37:37 UTC (rev 192766)
@@ -32,8 +32,7 @@
ButterflyCopyToken,
TypedArrayVectorCopyToken,
MapBackingStoreCopyToken,
- DirectArgumentsOverridesCopyToken,
- JSPropertyNameEnumeratorCopyToken,
+ DirectArgumentsOverridesCopyToken
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp (192765 => 192766)
--- trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2015-11-24 21:37:37 UTC (rev 192766)
@@ -26,8 +26,6 @@
#include "config.h"
#include "JSPropertyNameEnumerator.h"
-#include "CopiedBlockInlines.h"
-#include "CopyVisitorInlines.h"
#include "JSCInlines.h"
#include "StrongInlines.h"
@@ -72,47 +70,25 @@
m_endStructurePropertyIndex = endStructurePropertyIndex;
m_endGenericPropertyIndex = vector.size();
- if (!vector.isEmpty()) {
- void* backingStore;
- RELEASE_ASSERT(vm.heap.tryAllocateStorage(this, propertyNameCacheSize(), &backingStore));
- WriteBarrier<JSString>* propertyNames = reinterpret_cast<WriteBarrier<JSString>*>(backingStore);
-
- for (unsigned i = 0; i < vector.size(); ++i)
- propertyNames[i].set(vm, this, jsString(&vm, vector[i].string()));
-
- m_propertyNames.set(vm, this, propertyNames);
+ m_propertyNames.resizeToFit(vector.size());
+ for (unsigned i = 0; i < vector.size(); ++i) {
+ const Identifier& identifier = vector[i];
+ m_propertyNames[i].set(vm, this, jsString(&vm, identifier.string()));
}
}
+void JSPropertyNameEnumerator::destroy(JSCell* cell)
+{
+ jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
+}
+
void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
{
Base::visitChildren(cell, visitor);
JSPropertyNameEnumerator* thisObject = jsCast<JSPropertyNameEnumerator*>(cell);
+ for (unsigned i = 0; i < thisObject->m_propertyNames.size(); ++i)
+ visitor.append(&thisObject->m_propertyNames[i]);
visitor.append(&thisObject->m_prototypeChain);
-
- if (auto* propertyNames = thisObject->m_propertyNames.getWithoutBarrier()) {
- for (unsigned i = 0; i < thisObject->cachedPropertyNameCount(); ++i)
- visitor.append(&propertyNames[i]);
- visitor.copyLater(
- thisObject, JSPropertyNameEnumeratorCopyToken,
- propertyNames, thisObject->propertyNameCacheSize());
- }
}
-void JSPropertyNameEnumerator::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
- JSPropertyNameEnumerator* thisObject = jsCast<JSPropertyNameEnumerator*>(cell);
- ASSERT_GC_OBJECT_INHERITS(thisObject, info());
-
- RELEASE_ASSERT(token == JSPropertyNameEnumeratorCopyToken);
-
- void* oldPropertyNames = thisObject->m_propertyNames.getWithoutBarrier();
- if (visitor.checkIfShouldCopy(oldPropertyNames)) {
- WriteBarrier<JSString>* newPropertyNames = static_cast<WriteBarrier<JSString>*>(visitor.allocateNewSpace(thisObject->propertyNameCacheSize()));
- memcpy(newPropertyNames, oldPropertyNames, thisObject->propertyNameCacheSize());
- thisObject->m_propertyNames.setWithoutBarrier(newPropertyNames);
- visitor.didCopy(oldPropertyNames, thisObject->propertyNameCacheSize());
- }
-}
-
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h (192765 => 192766)
--- trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h 2015-11-24 18:47:19 UTC (rev 192765)
+++ trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h 2015-11-24 21:37:37 UTC (rev 192766)
@@ -43,6 +43,9 @@
static JSPropertyNameEnumerator* create(VM&);
static JSPropertyNameEnumerator* create(VM&, Structure*, uint32_t, uint32_t, PropertyNameArray&);
+ static const bool needsDestruction = true;
+ static void destroy(JSCell*);
+
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
@@ -52,9 +55,9 @@
JSString* propertyNameAtIndex(uint32_t index) const
{
- if (index >= cachedPropertyNameCount())
+ if (index >= m_propertyNames.size())
return nullptr;
- return m_propertyNames.get(this)[index].get();
+ return m_propertyNames[index].get();
}
StructureChain* cachedPrototypeChain() const { return m_prototypeChain.get(); }
@@ -78,30 +81,18 @@
static ptrdiff_t cachedInlineCapacityOffset() { return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_cachedInlineCapacity); }
static ptrdiff_t cachedPropertyNamesVectorOffset()
{
- return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_propertyNames);
+ return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_propertyNames) + Vector<WriteBarrier<JSString>>::dataMemoryOffset();
}
static void visitChildren(JSCell*, SlotVisitor&);
- static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
- uint32_t cachedPropertyNameCount() const
- {
- // Note that this depends on m_endGenericPropertyIndex being the number of entries in m_propertyNames.
- return m_endGenericPropertyIndex;
- }
-
- size_t propertyNameCacheSize() const
- {
- return WTF::roundUpToMultipleOf<8>(cachedPropertyNameCount() * sizeof(WriteBarrier<JSString>));
- }
-
private:
JSPropertyNameEnumerator(VM&, StructureID, uint32_t);
void finishCreation(VM&, uint32_t, uint32_t, PassRefPtr<PropertyNameArrayData>);
- CopyBarrier<WriteBarrier<JSString>> m_propertyNames;
- WriteBarrier<StructureChain> m_prototypeChain;
+ Vector<WriteBarrier<JSString>> m_propertyNames;
StructureID m_cachedStructureID;
+ WriteBarrier<StructureChain> m_prototypeChain;
uint32_t m_indexedLength;
uint32_t m_endStructurePropertyIndex;
uint32_t m_endGenericPropertyIndex;
