WebKit Bugzilla
Attachment 343630 Details for
Bug 187060
: ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-187060.patch (text/plain), 2.61 KB, created by
Mark Lam
on 2018-06-26 12:35:58 PDT
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-06-26 12:35:58 PDT
Size:
2.61 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 233215) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-06-26 Mark Lam <mark.lam@apple.com> >+ >+ ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). >+ https://bugs.webkit.org/show_bug.cgi?id=187060 >+ <rdar://problem/41452767> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-187060.js: Added. >+ > 2018-06-25 Mark Lam <mark.lam@apple.com> > > constructArray() should set m_numValuesInVector to the specified length. >Index: JSTests/stress/regress-187060.js >=================================================================== >--- JSTests/stress/regress-187060.js (nonexistent) >+++ JSTests/stress/regress-187060.js (working copy) >@@ -0,0 +1,9 @@ >+// This test should not crash. >+ >+for (var i = 0; i < 10000; i++) { >+ var arr = []; >+ arr.constructor = { >+ [Symbol.species]: function () { return ['unmodifiable']; } >+ } >+ arr.concat([1]); >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 233206) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2018-06-26 Mark Lam <mark.lam@apple.com> >+ >+ ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). >+ https://bugs.webkit.org/show_bug.cgi?id=187060 >+ <rdar://problem/41452767> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ JSObject::ensureLengthSlow() may be called only because it needs to do a copy on >+ write conversion. Hence, we can return early after the conversion if the vector >+ length is already sufficient to cover the requested length. >+ >+ * runtime/JSObject.cpp: >+ (JSC::JSObject::ensureLengthSlow): >+ > 2018-06-26 Carlos Alberto Lopez Perez <clopez@igalia.com> > > REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5 >Index: Source/JavaScriptCore/runtime/JSObject.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/JSObject.cpp (revision 233206) >+++ Source/JavaScriptCore/runtime/JSObject.cpp (working copy) >@@ -3262,8 +3262,11 @@ bool JSObject::increaseVectorLength(VM& > > bool JSObject::ensureLengthSlow(VM& vm, unsigned length) > { >- if (isCopyOnWrite(indexingMode())) >+ if (isCopyOnWrite(indexingMode())) { > convertFromCopyOnWrite(vm); >+ if (m_butterfly->vectorLength() >= length) >+ return true; >+ } > > Butterfly* butterfly = this->butterfly(); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343630">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187060
: 343630