Changeset 245145 in webkit

Timestamp:

May 9, 2019 10:56:47 AM (5 years ago)

Author:

keith_miller@apple.com

Message:

REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory
​https://bugs.webkit.org/show_bug.cgi?id=197740

Reviewed by Saam Barati.

If a TypedArray constructor is called with just 0 as the first argument, we don't allocate a backing vector.
This means we need to handle null when calling vector() in ConstructionContext.

• runtime/JSArrayBufferView.h:

(JSC::JSArrayBufferView::ConstructionContext::vector const):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/JSArrayBufferView.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-05-09  Keith Miller  <keith_miller@apple.com>
+
+        REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory
+        https://bugs.webkit.org/show_bug.cgi?id=197740
+
+        Reviewed by Saam Barati.
+
+        If a TypedArray constructor is called with just 0 as the first argument, we don't allocate a backing vector.
+        This means we need to handle null when calling vector() in ConstructionContext.
+
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::ConstructionContext::vector const):
+
 2019-05-09  Xan López  <xan@igalia.com>
 

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -136 +136 @@
         
         Structure* structure() const { return m_structure; }
-        void* vector() const { return m_vector.get(m_length); }
+        void* vector() const { return m_vector.getMayBeNull(m_length); }
         uint32_t length() const { return m_length; }
         TypedArrayMode mode() const { return m_mode; }