Skip to site navigation (Press enter)

[webkit-changes] [177657] trunk/Source/JavaScriptCore

mark . lam Mon, 22 Dec 2014 15:09:58 -0800

Title: [177657] trunk/Source/_javascript_Core

Revision: 177657
Author: mark....@apple.com
Date: 2014-12-22 15:09:22 -0800 (Mon, 22 Dec 2014)

Log Message

Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes.
<https://webkit.org/b/138118>


Reviewed by Michael Saboff.

* runtime/JSObject.cpp:
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (177656 => 177657)


--- trunk/Source/_javascript_Core/ChangeLog	2014-12-22 22:17:42 UTC (rev 177656)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-12-22 23:09:22 UTC (rev 177657)
@@ -1,3 +1,15 @@
+2014-12-22  Mark Lam  <mark....@apple.com>
+
+        Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes.
+        <https://webkit.org/b/138118>
+
+        Reviewed by Michael Saboff.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+
 2014-12-20  Eric Carlson  <eric.carl...@apple.com>
 
         [iOS] add optimized fullscreen API

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (177656 => 177657)


--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2014-12-22 22:17:42 UTC (rev 177656)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2014-12-22 23:09:22 UTC (rev 177657)
@@ -778,12 +778,13 @@
 
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
-    for (unsigned i = m_butterfly->publicLength(); i--;) {
+    for (unsigned i = 0; i < m_butterfly->publicLength(); i++) {
         JSValue v = m_butterfly->contiguous()[i].get();
-        if (!v)
-            continue;
-        newStorage->m_vector[i].setWithoutWriteBarrier(v);
-        newStorage->m_numValuesInVector++;
+        if (v) {
+            newStorage->m_vector[i].setWithoutWriteBarrier(v);
+            newStorage->m_numValuesInVector++;
+        } else
+            ASSERT(newStorage->m_vector[i].get().isEmpty());
     }
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -847,12 +848,13 @@
 
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
-    for (unsigned i = m_butterfly->publicLength(); i--;) {
+    for (unsigned i = 0; i < m_butterfly->publicLength(); i++) {
         double value = m_butterfly->contiguousDouble()[i];
-        if (value != value)
-            continue;
-        newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
-        newStorage->m_numValuesInVector++;
+        if (value == value) {
+            newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
+            newStorage->m_numValuesInVector++;
+        } else
+            ASSERT(newStorage->m_vector[i].get().isEmpty());
     }
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -872,12 +874,13 @@
 
     unsigned vectorLength = m_butterfly->vectorLength();
     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
-    for (unsigned i = m_butterfly->publicLength(); i--;) {
+    for (unsigned i = 0; i < m_butterfly->publicLength(); i++) {
         JSValue v = m_butterfly->contiguous()[i].get();
-        if (!v)
-            continue;
-        newStorage->m_vector[i].setWithoutWriteBarrier(v);
-        newStorage->m_numValuesInVector++;
+        if (v) {
+            newStorage->m_vector[i].setWithoutWriteBarrier(v);
+            newStorage->m_numValuesInVector++;
+        } else
+            ASSERT(newStorage->m_vector[i].get().isEmpty());
     }
     
     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes