[webkit-changes] [175249] trunk/Source/JavaScriptCore

Tue, 28 Oct 2014 08:36:32 -0700

Title: [175249] trunk/Source/_javascript_Core
Revision
175249
Author
mark....@apple.com
Date
2014-10-28 08:29:51 -0700 (Tue, 28 Oct 2014)

Log Message

Holes are not copied properly when Arrays change shape to ArrayStorage type.
<https://webkit.org/b/138118>

Reviewed by Mark Hahnenberg.

When we convert non-ArrayStorage typed arrays into ArrayStorage typed arrays,
we skipped the holes.  As a result, the slots in the ArrayStorage vector that
corresponds to those holes are uninitialize.  This is now fixed.

* runtime/JSObject.cpp:
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (175248 => 175249)


--- trunk/Source/_javascript_Core/ChangeLog	2014-10-28 14:14:50 UTC (rev 175248)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-10-28 15:29:51 UTC (rev 175249)
@@ -1,5 +1,22 @@
 2014-10-27  Mark Lam  <mark....@apple.com>
 
+        Holes are not copied properly when Arrays change shape to ArrayStorage type.
+        <https://webkit.org/b/138118>
+
+        Reviewed by Mark Hahnenberg.
+
+        When we convert non-ArrayStorage typed arrays into ArrayStorage typed arrays,
+        we skipped the holes.  As a result, the slots in the ArrayStorage vector that
+        corresponds to those holes are uninitialize.  This is now fixed.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+
+2014-10-27  Mark Lam  <mark....@apple.com>
+
         Crash when attempting to perform array iteration on a non-array with numeric keys not initialized.
         <https://webkit.org/b/137814>

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (175248 => 175249)


--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2014-10-28 14:14:50 UTC (rev 175248)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2014-10-28 15:29:51 UTC (rev 175249)
@@ -732,6 +732,7 @@
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* storage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
     // No need to copy elements.
+    ASSERT(!m_butterfly->publicLength());
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
     setStructureAndButterfly(vm, newStructure, storage->butterfly());
@@ -778,12 +779,13 @@
 
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
-    for (unsigned i = m_butterfly->publicLength(); i--;) {
+    for (unsigned i = 0; i < m_butterfly->publicLength(); i++) {
         JSValue v = m_butterfly->contiguous()[i].get();
-        if (!v)
-            continue;
-        newStorage->m_vector[i].setWithoutWriteBarrier(v);
-        newStorage->m_numValuesInVector++;
+        if (v) {
+            newStorage->m_vector[i].setWithoutWriteBarrier(v);
+            newStorage->m_numValuesInVector++;
+        } else
+            newStorage->m_vector[i].clear();
     }
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -847,12 +849,13 @@
 
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
-    for (unsigned i = m_butterfly->publicLength(); i--;) {
+    for (unsigned i = 0; i < m_butterfly->publicLength(); i++) {
         double value = m_butterfly->contiguousDouble()[i];
-        if (value != value)
-            continue;
-        newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
-        newStorage->m_numValuesInVector++;
+        if (value == value) {
+            newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
+            newStorage->m_numValuesInVector++;
+        } else
+            newStorage->m_vector[i].clear();
     }
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -872,12 +875,13 @@
 
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
-    for (unsigned i = m_butterfly->publicLength(); i--;) {
+    for (unsigned i = 0; i < m_butterfly->publicLength(); i++) {
         JSValue v = m_butterfly->contiguous()[i].get();
-        if (!v)
-            continue;
-        newStorage->m_vector[i].setWithoutWriteBarrier(v);
-        newStorage->m_numValuesInVector++;
+        if (v) {
+            newStorage->m_vector[i].setWithoutWriteBarrier(v);
+            newStorage->m_numValuesInVector++;
+        } else
+            newStorage->m_vector[i].clear();
     }
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to