Structure::flattenDictionaryStructure should compute max offset in a manner that...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Feb 2013 23:21:06 +0000 (23:21 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Feb 2013 23:21:06 +0000 (23:21 +0000)
commit16a265aae7f0996b63ac24838b65e3e0ba4d7f47
treeb29ab6c4cfbeb1fa84efbd7d3cd777cd2bf49ea6
parentda6c9eee01cb59140ea67cb8468804ed98a89f4e
Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
https://bugs.webkit.org/show_bug.cgi?id=110155
<rdar://problem/13233773>

Source/JavaScriptCore:

Reviewed by Mark Rowe.

This was a rookie mistake.  It was doing:

for (blah) {
    m_offset = foo // foo's monotonically increase in the loop
}

as a way of computing max offset for all of the properties.  Except what if the loop doesn't
execute because there are no properties?  Well, then, you're going to have a bogus m_offset.

The solution is to initialize m_offset at the top of the loop.

* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

LayoutTests:

Reviewed by Mark Rowe.

* fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt: Added.
* fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@143269 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/flatten-dictionary-structure-from-which-all-properties-were-deleted.html [new file with mode: 0644]
LayoutTests/fast/js/jsc-test-list
LayoutTests/fast/js/script-tests/flatten-dictionary-structure-from-which-all-properties-were-deleted.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Structure.cpp