diff options
author | Mark Hahnenberg <mhahnenberg@apple.com> | 2013-02-04 14:16:39 +0100 |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-02-06 14:45:44 +0100 |
commit | ddfc231cac5d5307df76332cb532224651ae4966 (patch) | |
tree | b13294cb425b90ad76d868db9acd1f16ff0f0369 | |
parent | c27b9870614d273b2f369bb920a328e371b58756 (diff) | |
download | qtwebkit-ddfc231cac5d5307df76332cb532224651ae4966.tar.gz |
Butterfly::growArrayRight shouldn't be called on null Butterfly objects
https://bugs.webkit.org/show_bug.cgi?id=105221
Reviewed by Filip Pizlo.
Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly
objects purely by coincidence. We should add a new static function that null checks the old
Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for
use in the couple of places in JSObject that expect such behavior to work.
* runtime/Butterfly.h:
(Butterfly):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createOrGrowArrayRight):
(JSC):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: I643bc988f3e25b6f05be4e99f19fd2dc609152e4
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
-rw-r--r-- | Source/JavaScriptCore/ChangeLog | 21 | ||||
-rw-r--r-- | Source/JavaScriptCore/runtime/Butterfly.h | 4 | ||||
-rw-r--r-- | Source/JavaScriptCore/runtime/ButterflyInlines.h | 7 | ||||
-rw-r--r-- | Source/JavaScriptCore/runtime/JSObject.cpp | 4 |
4 files changed, 33 insertions, 3 deletions
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 411570a9f..350874b43 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,24 @@ +2012-12-17 Mark Hahnenberg <mhahnenberg@apple.com> + + Butterfly::growArrayRight shouldn't be called on null Butterfly objects + https://bugs.webkit.org/show_bug.cgi?id=105221 + + Reviewed by Filip Pizlo. + + Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly + objects purely by coincidence. We should add a new static function that null checks the old + Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for + use in the couple of places in JSObject that expect such behavior to work. + + * runtime/Butterfly.h: + (Butterfly): + * runtime/ButterflyInlines.h: + (JSC::Butterfly::createOrGrowArrayRight): + (JSC): + * runtime/JSObject.cpp: + (JSC::JSObject::createInitialIndexedStorage): + (JSC::JSObject::createArrayStorage): + 2013-01-02 Simon Hausmann <simon.hausmann@digia.com> [MinGW-w64] Centralize workaround for pow() implementation diff --git a/Source/JavaScriptCore/runtime/Butterfly.h b/Source/JavaScriptCore/runtime/Butterfly.h index 4b8d53f7e..bbbda9461 100644 --- a/Source/JavaScriptCore/runtime/Butterfly.h +++ b/Source/JavaScriptCore/runtime/Butterfly.h @@ -110,7 +110,9 @@ public: void* base(size_t preCapacity, size_t propertyCapacity) { return propertyStorage() - propertyCapacity - preCapacity; } void* base(Structure*); - + + static Butterfly* createOrGrowArrayRight(Butterfly*, JSGlobalData&, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes); + // The butterfly reallocation methods perform the reallocation itself but do not change any // of the meta-data to reflect that the reallocation occurred. Note that this set of // methods is not exhaustive and is not intended to encapsulate all possible allocation diff --git a/Source/JavaScriptCore/runtime/ButterflyInlines.h b/Source/JavaScriptCore/runtime/ButterflyInlines.h index 9167497a4..f01458950 100644 --- a/Source/JavaScriptCore/runtime/ButterflyInlines.h +++ b/Source/JavaScriptCore/runtime/ButterflyInlines.h @@ -99,6 +99,13 @@ inline Butterfly* Butterfly::growPropertyStorage(JSGlobalData& globalData, Struc globalData, oldStructure, oldStructure->outOfLineCapacity(), newPropertyCapacity); } +inline Butterfly* Butterfly::createOrGrowArrayRight(Butterfly* oldButterfly, JSGlobalData& globalData, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes) +{ + if (!oldButterfly) + return create(globalData, 0, propertyCapacity, true, IndexingHeader(), newIndexingPayloadSizeInBytes); + return oldButterfly->growArrayRight(globalData, oldStructure, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes, newIndexingPayloadSizeInBytes); +} + inline Butterfly* Butterfly::growArrayRight(JSGlobalData& globalData, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes) { ASSERT_UNUSED(oldStructure, !indexingHeader()->preCapacity(oldStructure)); diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp index dc73e04b0..1b3d71cfd 100644 --- a/Source/JavaScriptCore/runtime/JSObject.cpp +++ b/Source/JavaScriptCore/runtime/JSObject.cpp @@ -610,7 +610,7 @@ Butterfly* JSObject::createInitialIndexedStorage(JSGlobalData& globalData, unsig ASSERT(!structure()->needsSlowPutIndexing()); ASSERT(!indexingShouldBeSparse()); unsigned vectorLength = std::max(length, BASE_VECTOR_LEN); - Butterfly* newButterfly = m_butterfly->growArrayRight( + Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(m_butterfly, globalData, structure(), structure()->outOfLineCapacity(), false, 0, elementSize * vectorLength); newButterfly->setPublicLength(length); @@ -656,7 +656,7 @@ ArrayStorage* JSObject::createArrayStorage(JSGlobalData& globalData, unsigned le { IndexingType oldType = structure()->indexingType(); ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType)); - Butterfly* newButterfly = m_butterfly->growArrayRight( + Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(m_butterfly, globalData, structure(), structure()->outOfLineCapacity(), false, 0, ArrayStorage::sizeFor(vectorLength)); if (!newButterfly) |