[webkit-changes] [244007] releases/WebKitGTK/webkit-2.24

[carlosgc]

Title: [244007] releases/WebKitGTK/webkit-2.24

Revision

244007

Author

carlo...@webkit.org

Date

2019-04-08 05:39:04 -0700 (Mon, 08 Apr 2019)

Log Message

Merge r243069 - Structure::flattenDictionary() should clear unused property slots.
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>

Reviewed by Michael Saboff.

JSTests:

* stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.

Source/_javascript_Core:

It currently attempts to do this but fails because it's actually clearing up the
preCapacity region instead.  The fix is simply to account for the preCapacity
when computing the start address of the property slots.

* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

Modified Paths

• releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.cpp

Added Paths

• releases/WebKitGTK/webkit-2.24/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js

Diff

Modified: releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog (244006 => 244007)

--- releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-04-08 12:39:00 UTC (rev 244006)
+++ releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-04-08 12:39:04 UTC (rev 244007)
@@ -1,3 +1,13 @@
+2019-03-18  Mark Lam  <mark....@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+
 2019-03-12  Mark Lam  <mark....@apple.com>
 
         The HasIndexedProperty node does GC.

Added: releases/WebKitGTK/webkit-2.24/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js (0 => 244007)

--- releases/WebKitGTK/webkit-2.24/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js	2019-04-08 12:39:04 UTC (rev 244007)
@@ -0,0 +1,11 @@
+// This test should not crash.
+
+var arr = [];
+arr.x = 0;
+arr.y = 0;
+delete arr["x"];
+
+for (var i = 0; i < 2; ++i)
+    arr.unshift(i);
+
+arr.z = 42;

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (244006 => 244007)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-04-08 12:39:00 UTC (rev 244006)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-04-08 12:39:04 UTC (rev 244007)
@@ -1,3 +1,18 @@
+2019-03-18  Mark Lam  <mark....@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        It currently attempts to do this but fails because it's actually clearing up the
+        preCapacity region instead.  The fix is simply to account for the preCapacity
+        when computing the start address of the property slots.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
 2019-04-08  Xan Lopez  <x...@igalia.com>
 
         [CMake] Detect SSE2 at compile time

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.cpp (244006 => 244007)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.cpp	2019-04-08 12:39:00 UTC (rev 244006)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.cpp	2019-04-08 12:39:04 UTC (rev 244007)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -778,10 +778,10 @@
             (inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
 
         Butterfly* butterfly = object->butterfly();
-        memset(
-            butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
-            0,
-            (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+        size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
+        void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
+        void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
+        memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes