Fix assertion in JSObject's structure setting methods
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Dec 2017 22:28:09 +0000 (22:28 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Dec 2017 22:28:09 +0000 (22:28 +0000)
https://bugs.webkit.org/show_bug.cgi?id=180840

Reviewed by Mark Lam.

I forgot that when Typed Arrays have non-indexed properties
added to them, they call the generic code. The generic code
in turn calls the regular structure setting methods. Thus,
these assertions were invalid and we should just avoid setting
the indexing mask if we have a Typed Array.

* runtime/JSObject.h:
(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225933 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.h

index 5f43773..d1e1d5e 100644 (file)
@@ -1,3 +1,20 @@
+2017-12-14  Keith Miller  <keith_miller@apple.com>
+
+        Fix assertion in JSObject's structure setting methods
+        https://bugs.webkit.org/show_bug.cgi?id=180840
+
+        Reviewed by Mark Lam.
+
+        I forgot that when Typed Arrays have non-indexed properties
+        added to them, they call the generic code. The generic code
+        in turn calls the regular structure setting methods. Thus,
+        these assertions were invalid and we should just avoid setting
+        the indexing mask if we have a Typed Array.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+
 2017-12-14  Michael Saboff  <msaboff@apple.com>
 
         REGRESSION (r225695): Repro crash on yahoo login page
index d6aceaa..0ae9b2f 100644 (file)
@@ -1265,8 +1265,8 @@ inline void JSObject::setButterflyWithIndexingMask(VM& vm, Butterfly* butterfly,
 
 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
 {
-    ASSERT(!structure()->hijacksIndexingHeader());
-    m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!structure(vm)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
         WTF::storeStoreFence();
@@ -1280,8 +1280,8 @@ inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
 
 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
 {
-    ASSERT(!vm.getStructure(oldStructureID)->hijacksIndexingHeader());
-    m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!vm.getStructure(oldStructureID)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
         setStructureIDDirectly(nuke(oldStructureID));