Indexing should only be computed when the new structure has an indexing header.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 16 Dec 2017 18:20:04 +0000 (18:20 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 16 Dec 2017 18:20:04 +0000 (18:20 +0000)
commit193f4d17d0d45fbae27c5fd4bcc6b7ffbe90743d
tree146917e165b3664c0811b61692a2b5829d7bca14
parent79acf05ef622393bcb175c7965ac60c107843c97
Indexing should only be computed when the new structure has an indexing header.
https://bugs.webkit.org/show_bug.cgi?id=180895

Reviewed by Saam Barati.

If we don't have an indexing header then we point the butterfly
sizeof(IndexingHeader) past the end of the butterfly. This makes
the computation of the offset simpler since it doesn't depend on
the indexing headeriness of the butterfly.

* jit/JITOperations.cpp:
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
* runtime/JSObject.h:
(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226000 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSObjectInlines.h