Changeset 54073 in webkit
- Timestamp:
- Jan 29, 2010 11:46:57 AM (14 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r54050 r54073 1 2010-01-29 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Darin Adler. 4 5 JSC is failing to propagate anonymous slot count on some transitions 6 https://bugs.webkit.org/show_bug.cgi?id=34321 7 8 Remove the unsafe two argument Structure::create method, and correct 9 the uses of it to propagate the anonymous slot count. 10 11 * runtime/JSObject.h: 12 (JSC::JSObject::setStructure): 13 * runtime/Structure.cpp: 14 (JSC::Structure::addPropertyTransition): 15 (JSC::Structure::changePrototypeTransition): 16 (JSC::Structure::despecifyFunctionTransition): 17 (JSC::Structure::getterSetterTransition): 18 (JSC::Structure::toDictionaryTransition): 19 * runtime/Structure.h: 20 1 21 2010-01-29 Simon Hausmann <simon.hausmann@nokia.com> 2 22 -
trunk/JavaScriptCore/runtime/JSObject.h
r54040 r54073 316 316 inline void JSObject::setStructure(NonNullPassRefPtr<Structure> structure) 317 317 { 318 ASSERT(structure->anonymousSlotCount() == m_structure->anonymousSlotCount()); 318 319 m_structure->deref(); 319 320 m_structure = structure.releaseRef(); // ~JSObject balances this ref() -
trunk/JavaScriptCore/runtime/Structure.cpp
r54022 r54073 367 367 } 368 368 369 RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo() );369 RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo(), structure->anonymousSlotCount()); 370 370 371 371 transition->m_cachedPrototypeChain = structure->m_cachedPrototypeChain; … … 416 416 PassRefPtr<Structure> Structure::changePrototypeTransition(Structure* structure, JSValue prototype) 417 417 { 418 RefPtr<Structure> transition = create(prototype, structure->typeInfo() );418 RefPtr<Structure> transition = create(prototype, structure->typeInfo(), structure->anonymousSlotCount()); 419 419 420 420 transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity; … … 435 435 { 436 436 ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount); 437 RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo() );437 RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo(), structure->anonymousSlotCount()); 438 438 439 439 transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity; … … 460 460 PassRefPtr<Structure> Structure::getterSetterTransition(Structure* structure) 461 461 { 462 RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo() );462 RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo(), structure->anonymousSlotCount()); 463 463 transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity; 464 464 transition->m_hasGetterSetterProperties = transition->m_hasGetterSetterProperties; … … 479 479 ASSERT(!structure->isUncacheableDictionary()); 480 480 481 RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo() );481 RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo(), structure->anonymousSlotCount()); 482 482 transition->m_dictionaryKind = kind; 483 483 transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity; -
trunk/JavaScriptCore/runtime/Structure.h
r54022 r54073 148 148 149 149 private: 150 static PassRefPtr<Structure> create(JSValue prototype, const TypeInfo& typeInfo)151 {152 return adoptRef(new Structure(prototype, typeInfo));153 }154 155 150 Structure(JSValue prototype, const TypeInfo&); 156 151 -
trunk/LayoutTests/ChangeLog
r54062 r54073 1 2010-01-29 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Darin Adler. 4 5 JSC is failing to propagate anonymous slot count on some transitions 6 https://bugs.webkit.org/show_bug.cgi?id=34321 7 8 Add a test for modification of a type with anonymous slots. 9 10 * fast/dom/Window/anonymous-slot-with-changes-expected.txt: Added. 11 * fast/dom/Window/anonymous-slot-with-changes.html: Added. 12 1 13 2010-01-29 Philippe Normand <pnormand@igalia.com> 2 14 -
trunk/WebCore/ChangeLog
r54071 r54073 1 2010-01-29 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Darin Adler. 4 5 JSC is failing to propagate anonymous slot count on some transitions 6 https://bugs.webkit.org/show_bug.cgi?id=34321 7 8 Make code generator add assertions for anonymous slot count. 9 10 Test: fast/dom/Window/anonymous-slot-with-changes.html 11 12 * bindings/scripts/CodeGeneratorJS.pm: 13 1 14 2010-01-29 Tony Chang <tony@chromium.org> 2 15 -
trunk/WebCore/bindings/scripts/CodeGeneratorJS.pm
r54047 r54073 1186 1186 } 1187 1187 push(@implContent, "{\n"); 1188 push(@implContent, " ASSERT(static_cast<int>(this->structure()->anonymousSlotCount()) >= static_cast<int>(AnonymousSlotCount));\n"); 1188 1189 if ($numCachedAttributes > 0) { 1189 1190 push(@implContent, " for (unsigned i = Base::AnonymousSlotCount; i < AnonymousSlotCount; i++)\n");
Note: See TracChangeset
for help on using the changeset viewer.