RESOLVED FIXED 186960
unshift should zero unused property storage 
https://bugs.webkit.org/show_bug.cgi?id=186960
Summary unshift should zero unused property storage
Keith Miller
Reported 2018-06-22 21:07:50 PDT
unshift should zero property storage
Attachments
Patch (7.75 KB, patch)
2018-06-22 21:09 PDT, Keith Miller 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2018-06-22 21:09:48 PDT
Created attachment 343417 [details] Patch
Keith Miller
Comment 2 2018-06-22 21:10:27 PDT
rdar://problem/41366776
Saam Barati
Comment 3 2018-06-22 22:14:15 PDT
Comment on attachment 343417 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=343417&action=review r=me > Source/JavaScriptCore/ChangeLog:9 > + one more place it was missing. And the zeroing
Keith Miller
Comment 4 2018-06-22 22:19:06 PDT
Comment on attachment 343417 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=343417&action=review >> Source/JavaScriptCore/ChangeLog:9 >> + one more place it was missing. > > And the zeroing I guess I should start this sentence with also. I figured the zeroing part was implied by the title.
Keith Miller
Comment 5 2018-06-22 22:27:51 PDT
Committed r233121: <https://trac.webkit.org/changeset/233121>
Truitt Savell
Comment 6 2018-06-26 11:27:50 PDT
Around 100 JSC tests are failing after the assertion change that was made. output: https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/1180/steps/jscore-test/logs/stdio Example of Failure: stress/dfg-put-getter-by-val-class.js.default: ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)) stress/dfg-put-getter-by-val-class.js.default: /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/runtime/JSObjectInlines.h(335) : bool JSC::JSObject::putDirectInternal(JSC::VM &, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot &) 1 0x10ed66a69 WTFCrash 2 0x10eea5766 bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) 3 0x10eea4580 JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) 4 0x110008bf2 JSC::JSFunction::reifyName(JSC::VM&, JSC::ExecState*, WTF::String) 5 0x1100088b9 JSC::JSFunction::setFunctionName(JSC::ExecState*, JSC::JSValue) 6 0x10fd17395 operationSetFunctionName 7 0x547d9a5f728 8 0x10ee58ddc llint_entry 9 0x10ee50842 vmEntryToJavaScript 10 0x10fcacfaa JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 11 0x10fcac551 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 12 0x10ff63947 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 13 0x10ec9fd00 runWithOptions(GlobalObject*, CommandLine&, bool&) 14 0x10ec7748c jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const 15 0x10ec5ecb4 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&) 16 0x10ec5d79f jscmain(int, char**) 17 0x10ec5d6fe main 18 0x7fff6e830015 start stress/dfg-put-getter-by-val-class.js.default: test_script_7860: line 2: 10510 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true dfg-put-getter-by-val-class.js ) stress/dfg-put-getter-by-val-class.js.default: ERROR: Unexpected exit code: 139 FAIL: stress/dfg-put-getter-by-val-class.js.default
Note You need to log in before you can comment on or make changes to this bug.