+2011-10-27 Filip Pizlo <fpizlo@apple.com>
+
+ Crash in JSC::Structure::materializePropertyMap when viewing Garden-O-Matic
+ https://bugs.webkit.org/show_bug.cgi?id=71045
+
+ Reviewed by Geoff Garen.
+
+ Make sure that if a structure is pinned, it also has a property map.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::getterSetterTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::addPropertyWithoutTransition):
+ (JSC::Structure::removePropertyWithoutTransition):
+ (JSC::Structure::pin):
+ (JSC::Structure::copyPropertyTableForPinning):
+ * runtime/Structure.h:
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+
2011-10-27 Michael Saboff <msaboff@apple.com>
32bit build failure after r98624
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
return transition;
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
if (transition->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
return transition;
Structure* transition = create(globalData, structure);
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->m_dictionaryKind = kind;
transition->pin();
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
- transition->m_propertyTable = structure->copyPropertyTable(globalData, transition);
+ transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->m_preventExtensions = true;
transition->pin();
if (m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
specificValue = 0;
- materializePropertyMapIfNecessary(globalData);
+ materializePropertyMapIfNecessaryForPinning(globalData);
pin();
ASSERT(isUncacheableDictionary());
ASSERT(!m_enumerationCache);
- materializePropertyMapIfNecessary(globalData);
+ materializePropertyMapIfNecessaryForPinning(globalData);
pin();
size_t offset = remove(propertyName);
void Structure::pin()
{
+ ASSERT(m_propertyTable);
m_isPinnedPropertyTable = true;
m_previous.clear();
m_nameInPrevious.clear();
return adoptPtr(m_propertyTable ? new PropertyTable(globalData, owner, *m_propertyTable) : 0);
}
+PassOwnPtr<PropertyTable> Structure::copyPropertyTableForPinning(JSGlobalData& globalData, Structure* owner)
+{
+ return adoptPtr(m_propertyTable ? new PropertyTable(globalData, owner, *m_propertyTable) : new PropertyTable(m_offset == noOffset ? 0 : m_offset));
+}
+
size_t Structure::get(JSGlobalData& globalData, StringImpl* propertyName, unsigned& attributes, JSCell*& specificValue)
{
materializePropertyMapIfNecessary(globalData);
void despecifyAllFunctions(JSGlobalData&);
PassOwnPtr<PropertyTable> copyPropertyTable(JSGlobalData&, Structure* owner);
+ PassOwnPtr<PropertyTable> copyPropertyTableForPinning(JSGlobalData&, Structure* owner);
void materializePropertyMap(JSGlobalData&);
void materializePropertyMapIfNecessary(JSGlobalData& globalData)
{
if (!m_propertyTable && m_previous)
materializePropertyMap(globalData);
}
+ void materializePropertyMapIfNecessaryForPinning(JSGlobalData& globalData)
+ {
+ ASSERT(structure()->classInfo() == &s_info);
+ if (!m_propertyTable)
+ materializePropertyMap(globalData);
+ }
int transitionCount() const
{
git://git.webkit.org / WebKit-https.git / commitdiff