Context Navigation

← Previous Changeset
Next Changeset →

Changeset 225933 in webkit

Timestamp:

Dec 14, 2017, 2:28:09 PM (7 years ago)

Author:

keith_miller@apple.com

Message:

Fix assertion in JSObject's structure setting methods
https://bugs.webkit.org/show_bug.cgi?id=180840

Reviewed by Mark Lam.

I forgot that when Typed Arrays have non-indexed properties
added to them, they call the generic code. The generic code
in turn calls the regular structure setting methods. Thus,
these assertions were invalid and we should just avoid setting
the indexing mask if we have a Typed Array.

runtime/JSObject.h:

(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):

Location:

trunk/Source/JavaScriptCore

Files:

: 2 edited

ChangeLog (modified) (1 diff)
runtime/JSObject.h (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-              r225930
+              r225933
+-12-14  Keith Miller  <keith_miller@apple.com>
+        Fix assertion in JSObject's structure setting methods
+        https://bugs.webkit.org/show_bug.cgi?id=180840
+        Reviewed by Mark Lam.
+        I forgot that when Typed Arrays have non-indexed properties
+        added to them, they call the generic code. The generic code
+        in turn calls the regular structure setting methods. Thus,
+        these assertions were invalid and we should just avoid setting
+        the indexing mask if we have a Typed Array.
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
 -12-14  Michael Saboff  <msaboff@apple.com>

trunk/Source/JavaScriptCore/runtime/JSObject.h

-              r225913
+              r225933
 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
+{
     ASSERT(!structure()->hijacksIndexingHeader());
     m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!structure(vm)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
 …
 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
+{
     ASSERT(!vm.getStructure(oldStructureID)->hijacksIndexingHeader());
     m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!vm.getStructure(oldStructureID)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 225933 in webkit

Legend:

trunk/Source/JavaScriptCore/ChangeLog

trunk/Source/JavaScriptCore/runtime/JSObject.h

Download in other formats: