Changeset 54073 in webkit


Ignore:
Timestamp:
Jan 29, 2010 11:46:57 AM (14 years ago)
Author:
oliver@apple.com
Message:

2010-01-29 Oliver Hunt <oliver@apple.com>

Reviewed by Darin Adler.

JSC is failing to propagate anonymous slot count on some transitions
https://bugs.webkit.org/show_bug.cgi?id=34321

Remove the unsafe two argument Structure::create method, and correct
the uses of it to propagate the anonymous slot count.

  • runtime/JSObject.h: (JSC::JSObject::setStructure):
  • runtime/Structure.cpp: (JSC::Structure::addPropertyTransition): (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::getterSetterTransition): (JSC::Structure::toDictionaryTransition):
  • runtime/Structure.h:

2010-01-29 Oliver Hunt <oliver@apple.com>

Reviewed by Darin Adler.

JSC is failing to propagate anonymous slot count on some transitions
https://bugs.webkit.org/show_bug.cgi?id=34321

Add a test for modification of a type with anonymous slots.

  • fast/dom/Window/anonymous-slot-with-changes-expected.txt: Added.
  • fast/dom/Window/anonymous-slot-with-changes.html: Added.

2010-01-29 Oliver Hunt <oliver@apple.com>

Reviewed by Darin Adler.

JSC is failing to propagate anonymous slot count on some transitions
https://bugs.webkit.org/show_bug.cgi?id=34321

Make code generator add assertions for anonymous slot count.

Test: fast/dom/Window/anonymous-slot-with-changes.html

  • bindings/scripts/CodeGeneratorJS.pm:
Location:
trunk
Files:
2 added
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/JavaScriptCore/ChangeLog

    r54050 r54073  
     12010-01-29  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        JSC is failing to propagate anonymous slot count on some transitions
     6        https://bugs.webkit.org/show_bug.cgi?id=34321
     7
     8        Remove the unsafe two argument Structure::create method, and correct
     9        the uses of it to propagate the anonymous slot count.
     10
     11        * runtime/JSObject.h:
     12        (JSC::JSObject::setStructure):
     13        * runtime/Structure.cpp:
     14        (JSC::Structure::addPropertyTransition):
     15        (JSC::Structure::changePrototypeTransition):
     16        (JSC::Structure::despecifyFunctionTransition):
     17        (JSC::Structure::getterSetterTransition):
     18        (JSC::Structure::toDictionaryTransition):
     19        * runtime/Structure.h:
     20
    1212010-01-29  Simon Hausmann  <simon.hausmann@nokia.com>
    222
  • trunk/JavaScriptCore/runtime/JSObject.h

    r54040 r54073  
    316316inline void JSObject::setStructure(NonNullPassRefPtr<Structure> structure)
    317317{
     318    ASSERT(structure->anonymousSlotCount() == m_structure->anonymousSlotCount());
    318319    m_structure->deref();
    319320    m_structure = structure.releaseRef(); // ~JSObject balances this ref()
  • trunk/JavaScriptCore/runtime/Structure.cpp

    r54022 r54073  
    367367    }
    368368
    369     RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
     369    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo(), structure->anonymousSlotCount());
    370370
    371371    transition->m_cachedPrototypeChain = structure->m_cachedPrototypeChain;
     
    416416PassRefPtr<Structure> Structure::changePrototypeTransition(Structure* structure, JSValue prototype)
    417417{
    418     RefPtr<Structure> transition = create(prototype, structure->typeInfo());
     418    RefPtr<Structure> transition = create(prototype, structure->typeInfo(), structure->anonymousSlotCount());
    419419
    420420    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
     
    435435{
    436436    ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount);
    437     RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
     437    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo(), structure->anonymousSlotCount());
    438438
    439439    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
     
    460460PassRefPtr<Structure> Structure::getterSetterTransition(Structure* structure)
    461461{
    462     RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
     462    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo(), structure->anonymousSlotCount());
    463463    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
    464464    transition->m_hasGetterSetterProperties = transition->m_hasGetterSetterProperties;
     
    479479    ASSERT(!structure->isUncacheableDictionary());
    480480   
    481     RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
     481    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo(), structure->anonymousSlotCount());
    482482    transition->m_dictionaryKind = kind;
    483483    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
  • trunk/JavaScriptCore/runtime/Structure.h

    r54022 r54073  
    148148       
    149149    private:
    150         static PassRefPtr<Structure> create(JSValue prototype, const TypeInfo& typeInfo)
    151         {
    152             return adoptRef(new Structure(prototype, typeInfo));
    153         }
    154 
    155150        Structure(JSValue prototype, const TypeInfo&);
    156151       
  • trunk/LayoutTests/ChangeLog

    r54062 r54073  
     12010-01-29  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        JSC is failing to propagate anonymous slot count on some transitions
     6        https://bugs.webkit.org/show_bug.cgi?id=34321
     7
     8        Add a test for modification of a type with anonymous slots.
     9
     10        * fast/dom/Window/anonymous-slot-with-changes-expected.txt: Added.
     11        * fast/dom/Window/anonymous-slot-with-changes.html: Added.
     12
    1132010-01-29  Philippe Normand  <pnormand@igalia.com>
    214
  • trunk/WebCore/ChangeLog

    r54071 r54073  
     12010-01-29  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        JSC is failing to propagate anonymous slot count on some transitions
     6        https://bugs.webkit.org/show_bug.cgi?id=34321
     7
     8        Make code generator add assertions for anonymous slot count.
     9
     10        Test: fast/dom/Window/anonymous-slot-with-changes.html
     11
     12        * bindings/scripts/CodeGeneratorJS.pm:
     13
    1142010-01-29  Tony Chang  <tony@chromium.org>
    215
  • trunk/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r54047 r54073  
    11861186    }
    11871187    push(@implContent, "{\n");
     1188    push(@implContent, "    ASSERT(static_cast<int>(this->structure()->anonymousSlotCount()) >= static_cast<int>(AnonymousSlotCount));\n");
    11881189    if ($numCachedAttributes > 0) {
    11891190        push(@implContent, "    for (unsigned i = Base::AnonymousSlotCount; i < AnonymousSlotCount; i++)\n");
Note: See TracChangeset for help on using the changeset viewer.