[webkit-changes] [96354] trunk/Source/JavaScriptCore

[fpizlo]

Title: [96354] trunk/Source/_javascript_Core

Revision

96354

Author

fpi...@apple.com

Date

2011-09-29 13:45:52 -0700 (Thu, 29 Sep 2011)

Log Message

Structure transitions involving many (> 64) properties sometimes cause structure corruption
https://bugs.webkit.org/show_bug.cgi?id=69102

Reviewed by Darin Adler.
        
Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
don't lead to the dictionary kind being forgotten.
        
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/Structure.h:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/Structure.cpp
• trunk/Source/_javascript_Core/runtime/Structure.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (96353 => 96354)

--- trunk/Source/_javascript_Core/ChangeLog	2011-09-29 20:31:41 UTC (rev 96353)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-09-29 20:45:52 UTC (rev 96354)
@@ -1,3 +1,17 @@
+2011-09-29  Filip Pizlo  <fpi...@apple.com>
+
+        Structure transitions involving many (> 64) properties sometimes cause structure corruption
+        https://bugs.webkit.org/show_bug.cgi?id=69102
+
+        Reviewed by Darin Adler.
+        
+        Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
+        don't lead to the dictionary kind being forgotten.
+        
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        * runtime/Structure.h:
+
 2011-09-29  Yuqiang Xian  <yuqiang.x...@intel.com>
 
         DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT

Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (96353 => 96354)

--- trunk/Source/_javascript_Core/runtime/Structure.cpp	2011-09-29 20:31:41 UTC (rev 96353)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp	2011-09-29 20:45:52 UTC (rev 96354)
@@ -202,7 +202,7 @@
     , m_classInfo(previous->m_classInfo)
     , m_propertyStorageCapacity(previous->m_propertyStorageCapacity)
     , m_offset(noOffset)
-    , m_dictionaryKind(NoneDictionaryKind)
+    , m_dictionaryKind(previous->m_dictionaryKind)
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
     , m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)

Modified: trunk/Source/_javascript_Core/runtime/Structure.h (96353 => 96354)

--- trunk/Source/_javascript_Core/runtime/Structure.h	2011-09-29 20:31:41 UTC (rev 96353)
+++ trunk/Source/_javascript_Core/runtime/Structure.h	2011-09-29 20:45:52 UTC (rev 96354)
@@ -237,9 +237,9 @@
 
         bool isValid(ExecState*, StructureChain* cachedPrototypeChain) const;
 
-        static const signed char s_maxTransitionLength = 64;
+        static const int s_maxTransitionLength = 64;
 
-        static const signed char noOffset = -1;
+        static const int noOffset = -1;
 
         static const unsigned maxSpecificFunctionThrashCount = 3;
 
@@ -264,7 +264,7 @@
         uint32_t m_propertyStorageCapacity;
 
         // m_offset does not account for anonymous slots
-        signed char m_offset;
+        int m_offset;
 
         unsigned m_dictionaryKind : 2;
         bool m_isPinnedPropertyTable : 1;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes