flattenDictionaryStructure needs to zero properties that have been compressed away
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Jun 2018 01:28:03 +0000 (01:28 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Jun 2018 01:28:03 +0000 (01:28 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186828

Reviewed by Mark Lam.

This patch fixes a bunch of crashing Mozilla tests on the bots.

* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233001 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Structure.cpp

index d1a45ad..7ce0909 100644 (file)
@@ -1,3 +1,15 @@
+2018-06-19  Keith Miller  <keith_miller@apple.com>
+
+        flattenDictionaryStructure needs to zero properties that have been compressed away
+        https://bugs.webkit.org/show_bug.cgi?id=186828
+
+        Reviewed by Mark Lam.
+
+        This patch fixes a bunch of crashing Mozilla tests on the bots.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
 2018-06-19  Saam Barati  <sbarati@apple.com>
 
         DirectArguments::create needs to initialize to undefined instead of the empty value
index 0590e5f..8e0219c 100644 (file)
@@ -779,6 +779,14 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
             object->putDirect(vm, offsetForPropertyNumber(i, m_inlineCapacity), values[i]);
 
         table->clearDeletedOffsets();
+
+        // We need to zero our unused property space; otherwise the GC might see a
+        // stale pointer when we add properties in the future.
+        Butterfly* butterfly = object->butterfly();
+        memset(
+            butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
+            0,
+            (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
     }
 
@@ -803,9 +811,8 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
     WTF::storeStoreFence();
     object->setStructureIDDirectly(id());
 
-    // FIXME: This is probably no longer needed since we have a stronger mechanism
-    // for detecting races and rescanning an object.
-    // https://bugs.webkit.org/show_bug.cgi?id=166989
+    // We need to do a writebarrier here because the GC thread might be scanning the butterfly while
+    // we are shuffling properties around. See: https://bugs.webkit.org/show_bug.cgi?id=166989
     vm.heap.writeBarrier(object);
 
     return this;