WebKit Bugzilla
Attachment 343163 Details for
Bug 186855
: Expand concurrent GC assertion to accept JSValue() or 0
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186855-20180620104057.patch (text/plain), 1.72 KB, created by
Keith Miller
on 2018-06-20 10:40:58 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-06-20 10:40:58 PDT
Size:
1.72 KB
patch
obsolete
>Subversion Revision: 233003 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index dc723042167481801f513b9760c30db462e90197..49d58e0b56f4c6ea5d6e2e913195b4c4487a763f 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,18 @@ >+2018-06-20 Keith Miller <keith_miller@apple.com> >+ >+ Expand concurrent GC assertion to accept JSValue() or 0 >+ https://bugs.webkit.org/show_bug.cgi?id=186855 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ We tend to set unused property slots to either JSValue() or 0 >+ depending on the context. On 64-bit these are the same but on >+ 32-bit JSValue() has a NaN tag. This patch makes it so we >+ the accept either JSValue() or 0. >+ >+ * runtime/JSObjectInlines.h: >+ (JSC::JSObject::prepareToPutDirectWithoutTransition): >+ > 2018-06-19 Keith Miller <keith_miller@apple.com> > > Fix broken assertion on 32-bit >diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h >index ec331a139d6341f7bd78e4f1ece59ec2ddc924a7..a24a329a958ba7415884e6e68301d37f4f3c0372 100644 >--- a/Source/JavaScriptCore/runtime/JSObjectInlines.h >+++ b/Source/JavaScriptCore/runtime/JSObjectInlines.h >@@ -206,7 +206,7 @@ ALWAYS_INLINE PropertyOffset JSObject::prepareToPutDirectWithoutTransition(VM& v > > // This assertion verifies that the concurrent GC won't read garbage if the concurrentGC > // is running at the same time we put without transitioning. >- ASSERT(!JSValue::encode(getDirect(offset))); >+ ASSERT(!getDirect(offset) || !JSValue::encode(getDirect(offset))); > result = offset; > }); > return result;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343163">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186855
: 343163