Bug 226388

Summary: Fix LikelyDenseUnsignedIntegerSet::clear()
Product: WebKit Reporter: Robin Morisset <rmorisset>
Component: JavaScriptCoreAssignee: Robin Morisset <rmorisset>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cdumez, cmarcelo, ews-watchlist, mark.lam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 226258    
Bug Blocks:    
Attachments:
Description Flags
Patch none

Robin Morisset
Reported 2021-05-28 11:53:29 PDT
There are two problems with it: 1) It calls BitVector::clearAll(), which does not free any memory. Instead, it should call BitVector::~BitVector(), then do a placement new of a fresh BitVector (to get it back to its inline condition) 2) More problematically, it changes m_size before calling isBitVector() which relies crucially on the value of m_size. So it is going to believe that it is in BitVector mode even when it is actually in HashSet mode.
Attachments
Patch (2.81 KB, patch)
2021-05-28 12:02 PDT, Robin Morisset 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Robin Morisset
Comment 1 2021-05-28 11:57:18 PDT
rdar://78607433
Robin Morisset
Comment 2 2021-05-28 12:02:48 PDT
Created attachment 430037 [details] Patch
Mark Lam
Comment 3 2021-05-28 12:38:41 PDT
Comment on attachment 430037 [details] Patch r=me
Robin Morisset
Comment 4 2021-05-28 13:05:39 PDT
Comment on attachment 430037 [details] Patch Thanks for the review. Landing this as the wincairo failure is very clearly unrelated.
EWS
Comment 5 2021-05-28 13:17:50 PDT
Committed r278224 (238262@main): <https://commits.webkit.org/238262@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 430037 [details].
Note You need to log in before you can comment on or make changes to this bug.