WebKit Bugzilla
Attachment 343128 Details for
Bug 186828
: flattenDictionaryStructure needs to zero properties that have been compressed away
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-186828-20180619182103.patch (text/plain), 2.25 KB, created by
Keith Miller
on 2018-06-19 18:21:03 PDT
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-06-19 18:21:03 PDT
Size:
2.25 KB
patch
obsolete
>Subversion Revision: 232977 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 3f7df34456ba892b3828ce04255af4acf4f0d049..ce69434d166d14c4b33422f8ea8fa6f969c229ec 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,15 @@ >+2018-06-19 Keith Miller <keith_miller@apple.com> >+ >+ flattenDictionaryStructure needs to zero properties that have been compressed away >+ https://bugs.webkit.org/show_bug.cgi?id=186828 >+ >+ Reviewed by Mark Lam. >+ >+ This patch fixes a bunch of crashing Mozilla tests on the bots. >+ >+ * runtime/Structure.cpp: >+ (JSC::Structure::flattenDictionaryStructure): >+ > 2018-06-19 Keith Miller <keith_miller@apple.com> > > constructArray variants should take the slow path for subclasses of Array >diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp >index 0590e5f80673f2c6f5a493ea2123b59ba356f430..277f14889ea821a0b8742e443eed4b30b17f2d9e 100644 >--- a/Source/JavaScriptCore/runtime/Structure.cpp >+++ b/Source/JavaScriptCore/runtime/Structure.cpp >@@ -779,6 +779,12 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) > object->putDirect(vm, offsetForPropertyNumber(i, m_inlineCapacity), values[i]); > > table->clearDeletedOffsets(); >+ >+ Butterfly* butterfly = object->butterfly(); >+ memset( >+ butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity), >+ 0, >+ (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue)); > checkOffsetConsistency(); > } > >@@ -803,9 +809,8 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) > WTF::storeStoreFence(); > object->setStructureIDDirectly(id()); > >- // FIXME: This is probably no longer needed since we have a stronger mechanism >- // for detecting races and rescanning an object. >- // https://bugs.webkit.org/show_bug.cgi?id=166989 >+ // We need to do a writebarrier here because the GC thread might be scanning the butterfly while >+ // we are shuffling properties around. See: https://bugs.webkit.org/show_bug.cgi?id=166989 > vm.heap.writeBarrier(object); > > return this;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343128">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
keith_miller
:
commit-queue+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186828
:
343122
| 343128