WebKit Bugzilla
Attachment 343122 Details for
Bug 186828
: flattenDictionaryStructure needs to zero properties that have been compressed away
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186828-20180619171116.patch (text/plain), 1.76 KB, created by
Keith Miller
on 2018-06-19 17:11:16 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-06-19 17:11:16 PDT
Size:
1.76 KB
patch
obsolete
>Subversion Revision: 232977 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 3f7df34456ba892b3828ce04255af4acf4f0d049..1b3674c5e4840b397bf145f98629fbee278d41a3 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,15 @@ >+2018-06-19 Keith Miller <keith_miller@apple.com> >+ >+ flattenDictionaryStructure needs to zero properties that have been compressed away >+ https://bugs.webkit.org/show_bug.cgi?id=186828 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This patch fixes a bunch of crashing Mozilla tests on the bots. >+ >+ * runtime/Structure.cpp: >+ (JSC::Structure::flattenDictionaryStructure): >+ > 2018-06-19 Keith Miller <keith_miller@apple.com> > > constructArray variants should take the slow path for subclasses of Array >diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp >index 0590e5f80673f2c6f5a493ea2123b59ba356f430..d21cbd9ece30e1c2fc6c6462613a824589e8fb9b 100644 >--- a/Source/JavaScriptCore/runtime/Structure.cpp >+++ b/Source/JavaScriptCore/runtime/Structure.cpp >@@ -779,6 +779,13 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) > object->putDirect(vm, offsetForPropertyNumber(i, m_inlineCapacity), values[i]); > > table->clearDeletedOffsets(); >+ >+ // We need to make sure we zero our unused butterfly space otherwise the GC might see a stale pointer. >+ Butterfly* butterfly = object->butterfly(); >+ memset( >+ butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity), >+ 0, >+ (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue)); > checkOffsetConsistency(); > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343122">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186828
:
343122
|
343128