Changeset 169758 in webkit

Timestamp:

Jun 10, 2014, 1:29:29 PM (11 years ago)

Author:

mark.lam@apple.com

Message:

Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
<​https://webkit.org/b/133356>

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore:
The root cause of this issue is that a nonPropertyTransition can transition
a pinned dictionary structure to an unpinned dictionary structure. The new
structure will get a copy of the property table from the original structure.
However, when a GC occurs, the property table in the new structure will be
cleared because it is unpinned. This leads to complications in subsequent
derivative structures when flattening occurs, which eventually leads to the
assertion failure in this bug.

The fix is to ensure that the new dictionary structure generated by the
nonPropertyTransition will have a copy of its predecessor's property table
and is pinned.

• runtime/Structure.cpp:

(JSC::Structure::nonPropertyTransition):

LayoutTests:

• TestExpectations:
• Undoing expectation for js/primitive-property-access-edge-cases.html now that the bug is fixed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-06-10  Mark Lam  <mark.lam@apple.com>
+
+        Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
+        <https://webkit.org/b/133356>
+
+        Reviewed by Mark Hahnenberg.
+
+        * TestExpectations:
+        - Undoing expectation for js/primitive-property-access-edge-cases.html now
+          that the bug is fixed.
+
 2014-06-10  Alexey Proskuryakov  <ap@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -128 +128 @@
 webkit.org/b/132791 svg/as-object/sizing/svg-in-object-placeholder-height-auto.html [ Skip ]
 
-webkit.org/b/133356 js/primitive-property-access-edge-cases.html [ Pass Crash ]
-
 webkit.org/b/133057 fast/table/border-collapsing/collapsed-borders-adjoining-sections.html [ ImageOnlyFailure ]

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-06-10  Mark Lam  <mark.lam@apple.com>
+
+        Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
+        <https://webkit.org/b/133356>
+
+        Reviewed by Mark Hahnenberg.
+
+        The root cause of this issue is that a nonPropertyTransition can transition
+        a pinned dictionary structure to an unpinned dictionary structure.  The new
+        structure will get a copy of the property table from the original structure.
+        However, when a GC occurs, the property table in the new structure will be
+        cleared because it is unpinned.  This leads to complications in subsequent
+        derivative structures when flattening occurs, which eventually leads to the
+        assertion failure in this bug.
+
+        The fix is to ensure that the new dictionary structure generated by the
+        nonPropertyTransition will have a copy of its predecessor's property table
+        and is pinned.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::nonPropertyTransition):
+
 2014-06-10  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -655 +655 @@
     }
     
-    if (Structure* existingTransition = structure->m_transitionTable.get(0, attributes)) {
+    Structure* existingTransition;
+    if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes))) {
         ASSERT(existingTransition->m_attributesInPrevious == attributes);
         ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingType);
@@ -668 +669 @@
     checkOffset(transition->m_offset, transition->inlineCapacity());
     
-    {
+    if (structure->isDictionary())
+        transition->pin();
+    else {
         ConcurrentJITLocker locker(structure->m_lock);
         structure->m_transitionTable.add(vm, transition);