JSImmutableButterfly should assert m_header is adjacent to the data
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jun 2018 06:58:47 +0000 (06:58 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jun 2018 06:58:47 +0000 (06:58 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186795

Reviewed by Saam Barati.

* runtime/JSImmutableButterfly.cpp:
* runtime/JSImmutableButterfly.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232954 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSImmutableButterfly.cpp
Source/JavaScriptCore/runtime/JSImmutableButterfly.h

index 13a25db..68a6806 100644 (file)
@@ -1,5 +1,15 @@
 2018-06-18  Keith Miller  <keith_miller@apple.com>
 
+        JSImmutableButterfly should assert m_header is adjacent to the data
+        https://bugs.webkit.org/show_bug.cgi?id=186795
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSImmutableButterfly.cpp:
+        * runtime/JSImmutableButterfly.h:
+
+2018-06-18  Keith Miller  <keith_miller@apple.com>
+
         Unreviewed, fix the build...
 
         * runtime/JSArray.cpp:
index d25bfc6..b38098c 100644 (file)
@@ -54,4 +54,6 @@ void JSImmutableButterfly::copyToArguments(ExecState* exec, VirtualRegister firs
     }
 }
 
+static_assert(JSImmutableButterfly::offsetOfData() == sizeof(JSImmutableButterfly), "m_header needs to be adjacent to Data");
+
 } // namespace JSC
index 0a69ec7..3ace0ad 100644 (file)
@@ -101,12 +101,12 @@ public:
             toButterfly()->contiguous().atUnsafe(index).set(vm, this, value);
     }
 
-private:
     static constexpr size_t offsetOfData()
     {
         return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(JSImmutableButterfly));
     }
 
+private:
     static Checked<size_t, RecordOverflow> allocationSize(Checked<size_t, RecordOverflow> numItems)
     {
         return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>);