Skip to site navigation (Press enter)

[webkit-changes] [232954] trunk/Source/JavaScriptCore

keith_miller Mon, 18 Jun 2018 23:59:13 -0700

Title: [232954] trunk/Source/_javascript_Core

Revision: 232954
Author: [email protected]
Date: 2018-06-18 23:58:47 -0700 (Mon, 18 Jun 2018)

Log Message

JSImmutableButterfly should assert m_header is adjacent to the data
https://bugs.webkit.org/show_bug.cgi?id=186795


Reviewed by Saam Barati.

* runtime/JSImmutableButterfly.cpp:
* runtime/JSImmutableButterfly.h:

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.cpp
trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (232953 => 232954)


--- trunk/Source/_javascript_Core/ChangeLog	2018-06-19 01:34:11 UTC (rev 232953)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-06-19 06:58:47 UTC (rev 232954)
@@ -1,5 +1,15 @@
 2018-06-18  Keith Miller  <[email protected]>
 
+        JSImmutableButterfly should assert m_header is adjacent to the data
+        https://bugs.webkit.org/show_bug.cgi?id=186795
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSImmutableButterfly.cpp:
+        * runtime/JSImmutableButterfly.h:
+
+2018-06-18  Keith Miller  <[email protected]>
+
         Unreviewed, fix the build...
 
         * runtime/JSArray.cpp:

Modified: trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.cpp (232953 => 232954)


--- trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.cpp	2018-06-19 01:34:11 UTC (rev 232953)
+++ trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.cpp	2018-06-19 06:58:47 UTC (rev 232954)
@@ -54,4 +54,6 @@
     }
 }
 
+static_assert(JSImmutableButterfly::offsetOfData() == sizeof(JSImmutableButterfly), "m_header needs to be adjacent to Data");
+
 } // namespace JSC

Modified: trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h (232953 => 232954)


--- trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h	2018-06-19 01:34:11 UTC (rev 232953)
+++ trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h	2018-06-19 06:58:47 UTC (rev 232954)
@@ -101,12 +101,12 @@
             toButterfly()->contiguous().atUnsafe(index).set(vm, this, value);
     }
 
-private:
     static constexpr size_t offsetOfData()
     {
         return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(JSImmutableButterfly));
     }
 
+private:
     static Checked<size_t, RecordOverflow> allocationSize(Checked<size_t, RecordOverflow> numItems)
     {
         return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes