Changeset 54265 in webkit

Timestamp:

Feb 2, 2010 5:13:47 PM (14 years ago)

Author:

oliver@apple.com

Message:

2010-02-02 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Crash in CollectorBitmap::get at nbcolympics.com
​https://bugs.webkit.org/show_bug.cgi?id=34504

This was caused by the use of m_offset to determine the offset of
a new property into the property storage. This patch corrects
the effected cases by incorporating the anonymous slot count. It
also removes the duplicate copy of anonymous slot count from the
property table as keeping this up to date merely increased the
chance of a mismatch. Finally I've added a large number of
assertions in an attempt to prevent such a bug from happening
again.

With the new assertions in place the existing anonymous slot tests
all fail without the m_offset fixes.

• runtime/PropertyMapHashTable.h:
• runtime/Structure.cpp: (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::copyPropertyTable): (JSC::Structure::get): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable): (JSC::Structure::rehashPropertyMapHashTable): (JSC::Structure::checkConsistency):

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• runtime/PropertyMapHashTable.h (modified) (1 diff)
• runtime/Structure.cpp (modified) (21 diffs)
• runtime/Structure.h (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-02-02  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Crash in CollectorBitmap::get at nbcolympics.com
+        https://bugs.webkit.org/show_bug.cgi?id=34504
+
+        This was caused by the use of m_offset to determine the offset of
+        a new property into the property storage.  This patch corrects
+        the effected cases by incorporating the anonymous slot count. It
+        also removes the duplicate copy of anonymous slot count from the
+        property table as keeping this up to date merely increased the
+        chance of a mismatch.  Finally I've added a large number of
+        assertions in an attempt to prevent such a bug from happening
+        again.
+
+        With the new assertions in place the existing anonymous slot tests
+        all fail without the m_offset fixes.
+
+        * runtime/PropertyMapHashTable.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::materializePropertyMap):
+        (JSC::Structure::addPropertyTransitionToExistingStructure):
+        (JSC::Structure::addPropertyTransition):
+        (JSC::Structure::removePropertyTransition):
+        (JSC::Structure::flattenDictionaryStructure):
+        (JSC::Structure::addPropertyWithoutTransition):
+        (JSC::Structure::removePropertyWithoutTransition):
+        (JSC::Structure::copyPropertyTable):
+        (JSC::Structure::get):
+        (JSC::Structure::put):
+        (JSC::Structure::remove):
+        (JSC::Structure::insertIntoPropertyMapHashTable):
+        (JSC::Structure::createPropertyMapHashTable):
+        (JSC::Structure::rehashPropertyMapHashTable):
+        (JSC::Structure::checkConsistency):
+
 2010-02-02  Steve Falkenburg  <sfalken@apple.com>
 

trunk/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -62 +62 @@
         unsigned keyCount;
         unsigned deletedSentinelCount;
-        unsigned anonymousSlotCount;
         unsigned lastIndexUsed;
         Vector<unsigned>* deletedOffsets;

trunk/JavaScriptCore/runtime/Structure.cpp

@@ -273 +273 @@
             rehashPropertyMapHashTable(sizeForKeyCount(m_offset + 1)); // This could be made more efficient by combining with the copy above. 
     }
-    
-    m_propertyTable->anonymousSlotCount = m_anonymousSlotCount;
+
     for (ptrdiff_t i = structures.size() - 2; i >= 0; --i) {
         structure = structures[i];
         structure->m_nameInPrevious->ref();
-        PropertyMapEntry entry(structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious, ++m_propertyTable->lastIndexUsed);
+        PropertyMapEntry entry(structure->m_nameInPrevious.get(), m_anonymousSlotCount + structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious, ++m_propertyTable->lastIndexUsed);
         insertIntoPropertyMapHashTable(entry);
     }
@@ -344 +343 @@
     if (Structure* existingTransition = structure->table.get(make_pair(propertyName.ustring().rep(), attributes), specificValue)) {
         ASSERT(existingTransition->m_offset != noOffset);
-        offset = existingTransition->m_offset;
+        offset = existingTransition->m_offset + existingTransition->m_anonymousSlotCount;
+        ASSERT(offset >= structure->m_anonymousSlotCount);
+        ASSERT(structure->m_anonymousSlotCount == existingTransition->m_anonymousSlotCount);
         return existingTransition;
     }
@@ -364 +365 @@
         ASSERT(structure != transition);
         offset = transition->put(propertyName, attributes, specificValue);
+        ASSERT(offset >= structure->m_anonymousSlotCount);
+        ASSERT(structure->m_anonymousSlotCount == transition->m_anonymousSlotCount);
         if (transition->propertyStorageSize() > transition->propertyStorageCapacity())
             transition->growPropertyStorageCapacity();
@@ -382 +385 @@
 
     if (structure->m_propertyTable) {
-        ASSERT(structure->m_propertyTable->anonymousSlotCount == structure->m_anonymousSlotCount);
         if (structure->m_isPinnedPropertyTable)
             transition->m_propertyTable = structure->copyPropertyTable();
@@ -397 +399 @@
 
     offset = transition->put(propertyName, attributes, specificValue);
+    ASSERT(offset >= structure->m_anonymousSlotCount);
+    ASSERT(structure->m_anonymousSlotCount == transition->m_anonymousSlotCount);
     if (transition->propertyStorageSize() > transition->propertyStorageCapacity())
         transition->growPropertyStorageCapacity();
 
-    transition->m_offset = offset;
+    transition->m_offset = offset - structure->m_anonymousSlotCount;
     ASSERT(structure->anonymousSlotCount() == transition->anonymousSlotCount());
     structure->table.add(make_pair(propertyName.ustring().rep(), attributes), transition.get(), specificValue);
@@ -413 +417 @@
 
     offset = transition->remove(propertyName);
+    ASSERT(offset >= structure->m_anonymousSlotCount);
+    ASSERT(structure->m_anonymousSlotCount == transition->m_anonymousSlotCount);
 
     return transition.release();
@@ -530 +536 @@
         // reorder the storage, so we have to copy the current values out
         Vector<JSValue> values(propertyCount);
-        ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
-        unsigned anonymousSlotCount = m_propertyTable->anonymousSlotCount;
+        unsigned anonymousSlotCount = m_anonymousSlotCount;
         for (unsigned i = 0; i < propertyCount; i++) {
             PropertyMapEntry* entry = sortedPropertyEntries[i];
@@ -566 +571 @@
 
     size_t offset = put(propertyName, attributes, specificValue);
+    ASSERT(offset >= m_anonymousSlotCount);
     if (propertyStorageSize() > propertyStorageCapacity())
         growPropertyStorageCapacity();
@@ -580 +586 @@
     m_isPinnedPropertyTable = true;
     size_t offset = remove(propertyName);
+    ASSERT(offset >= m_anonymousSlotCount);
     return offset;
 }
@@ -621 +628 @@
     if (!m_propertyTable)
         return 0;
-    
-    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
+
     size_t tableSize = PropertyMapHashTable::allocationSize(m_propertyTable->size);
     PropertyMapHashTable* newTable = static_cast<PropertyMapHashTable*>(fastMalloc(tableSize));
@@ -637 +643 @@
         newTable->deletedOffsets = new Vector<unsigned>(*m_propertyTable->deletedOffsets);
 
-    newTable->anonymousSlotCount = m_propertyTable->anonymousSlotCount;
     return newTable;
 }
@@ -660 +665 @@
         attributes = m_propertyTable->entries()[entryIndex - 1].attributes;
         specificValue = m_propertyTable->entries()[entryIndex - 1].specificValue;
+        ASSERT(m_propertyTable->entries()[entryIndex - 1].offset >= m_anonymousSlotCount);
         return m_propertyTable->entries()[entryIndex - 1].offset;
     }
@@ -683 +689 @@
             attributes = m_propertyTable->entries()[entryIndex - 1].attributes;
             specificValue = m_propertyTable->entries()[entryIndex - 1].specificValue;
+            ASSERT(m_propertyTable->entries()[entryIndex - 1].offset >= m_anonymousSlotCount);
             return m_propertyTable->entries()[entryIndex - 1].offset;
         }
@@ -764 +771 @@
     if (!m_propertyTable)
         createPropertyMapHashTable();
-    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
 
     // FIXME: Consider a fast case for tables with no deleted sentinels.
@@ -832 +838 @@
         m_propertyTable->deletedOffsets->removeLast();
     } else
-        newOffset = m_propertyTable->keyCount + m_propertyTable->anonymousSlotCount;
+        newOffset = m_propertyTable->keyCount + m_anonymousSlotCount;
     m_propertyTable->entries()[entryIndex - 1].offset = newOffset;
-
+    
+    ASSERT(newOffset >= m_anonymousSlotCount);
     ++m_propertyTable->keyCount;
 
@@ -859 +866 @@
     if (!m_propertyTable)
         return notFound;
-    
-    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
+
 #if DUMP_PROPERTYMAP_STATS
     ++numProbes;
@@ -899 +905 @@
 
     size_t offset = m_propertyTable->entries()[entryIndex - 1].offset;
+    ASSERT(offset >= m_anonymousSlotCount);
 
     key->deref();
@@ -924 +931 @@
 {
     ASSERT(m_propertyTable);
-    
-    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
+    ASSERT(entry.offset >= m_anonymousSlotCount);
     unsigned i = entry.key->existingHash();
     unsigned k = 0;
@@ -975 +981 @@
     m_propertyTable->size = newTableSize;
     m_propertyTable->sizeMask = newTableSize - 1;
-    m_propertyTable->anonymousSlotCount = m_anonymousSlotCount;
 
     checkConsistency();
@@ -1005 +1010 @@
     m_propertyTable->size = newTableSize;
     m_propertyTable->sizeMask = newTableSize - 1;
-    m_propertyTable->anonymousSlotCount = oldTable->anonymousSlotCount;
 
     unsigned lastIndexUsed = 0;
@@ -1135 +1139 @@
         ASSERT(m_hasNonEnumerableProperties || !(m_propertyTable->entries()[c].attributes & DontEnum));
         UString::Rep* rep = m_propertyTable->entries()[c].key;
+        ASSERT(m_propertyTable->entries()[c].offset >= m_anonymousSlotCount);
         if (!rep)
             continue;

trunk/JavaScriptCore/runtime/Structure.h

@@ -205 +205 @@
 
         uint32_t m_propertyStorageCapacity;
+
+        // m_offset does not account for anonymous slots
         signed char m_offset;