Title: [233697] trunk/Source/_javascript_Core
- Revision
- 233697
- Author
- mark....@apple.com
- Date
- 2018-07-10 13:47:07 -0700 (Tue, 10 Jul 2018)
Log Message
[32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
https://bugs.webkit.org/show_bug.cgi?id=187362
<rdar://problem/42027210>
Reviewed by Saam Barati.
On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
value to use for initializing unused properties. Updated an assertion to account
for this.
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (233696 => 233697)
--- trunk/Source/_javascript_Core/ChangeLog 2018-07-10 20:35:28 UTC (rev 233696)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-07-10 20:47:07 UTC (rev 233697)
@@ -1,3 +1,18 @@
+2018-07-10 Mark Lam <mark....@apple.com>
+
+ [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
+ https://bugs.webkit.org/show_bug.cgi?id=187362
+ <rdar://problem/42027210>
+
+ Reviewed by Saam Barati.
+
+ On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
+ value to use for initializing unused properties. Updated an assertion to account
+ for this.
+
+ * runtime/ObjectInitializationScope.cpp:
+ (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
+
2018-07-10 Michael Saboff <msab...@apple.com>
YARR: . doesn't match non-BMP Unicode characters in some cases
Modified: trunk/Source/_javascript_Core/runtime/ObjectInitializationScope.cpp (233696 => 233697)
--- trunk/Source/_javascript_Core/runtime/ObjectInitializationScope.cpp 2018-07-10 20:35:28 UTC (rev 233696)
+++ trunk/Source/_javascript_Core/runtime/ObjectInitializationScope.cpp 2018-07-10 20:47:07 UTC (rev 233697)
@@ -83,10 +83,18 @@
}
}
+ auto isSafeEmptyValueForGCScanning = [] (JSValue value) {
+#if USE(JSVALUE64)
+ return !value;
+#else
+ return !value || !JSValue::encode(value);
+#endif
+ };
+
for (int64_t i = 0; i < static_cast<int64_t>(structure->outOfLineCapacity()); i++) {
// We rely on properties past the last offset be zero for concurrent GC.
if (i + firstOutOfLineOffset > structure->lastOffset())
- ASSERT(!butterfly->propertyStorage()[-i - 1].get());
+ ASSERT(isSafeEmptyValueForGCScanning(butterfly->propertyStorage()[-i - 1].get()));
else if (isScribbledValue(butterfly->propertyStorage()[-i - 1].get())) {
dataLogLn("Found scribbled property at i = ", -i - 1);
ASSERT_NOT_REACHED();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
