Context Navigation

← Previous Changeset
Next Changeset →

Changeset 243069 in webkit

Timestamp:

Mar 18, 2019 9:18:10 AM (5 years ago)

Author:

mark.lam@apple.com

Message:

Structure::flattenDictionary() should clear unused property slots.
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>

Reviewed by Michael Saboff.

JSTests:

stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.

Source/JavaScriptCore:

It currently attempts to do this but fails because it's actually clearing up the
preCapacity region instead. The fix is simply to account for the preCapacity
when computing the start address of the property slots.

runtime/Structure.cpp:

(JSC::Structure::flattenDictionaryStructure):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r243032
+                      r243069
+-03-18  Mark Lam  <mark.lam@apple.com>
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+        Reviewed by Michael Saboff.
+        * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
 -03-15  Mark Lam  <mark.lam@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r243065
+                      r243069
+-03-18  Mark Lam  <mark.lam@apple.com>
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+        Reviewed by Michael Saboff.
+        It currently attempts to do this but fails because it's actually clearing up the
+        preCapacity region instead.  The fix is simply to account for the preCapacity
+        when computing the start address of the property slots.
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
 -03-18  Robin Morisset  <rmorisset@apple.com>

trunk/Source/JavaScriptCore/runtime/Structure.cpp

-                      r242123
+                      r243069
 /*
  * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
         Butterfly* butterfly = object->butterfly();
         memset(
             butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
 ,
             (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+        size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
+        void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
+        void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
+        memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
+    }

Note: See TracChangeset for help on using the changeset viewer.