Array Storage operations sometimes did not update the indexing mask correctly.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Jan 2018 20:58:31 +0000 (20:58 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Jan 2018 20:58:31 +0000 (20:58 +0000)
https://bugs.webkit.org/show_bug.cgi?id=181301

Reviewed by Mark Lam.

I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303

* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226416 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSObject.cpp

index 834f2a3..2d32f1c 100644 (file)
@@ -1,3 +1,17 @@
+2018-01-04  Keith Miller  <keith_miller@apple.com>
+
+        Array Storage operations sometimes did not update the indexing mask correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=181301
+
+        Reviewed by Mark Lam.
+
+        I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::increaseVectorLength):
+
 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [DFG] Define defs for MapSet/SetAdd to participate in CSE
index 6897fcb..2244d72 100644 (file)
@@ -835,13 +835,13 @@ bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned c
         // the start of the Butterfly, which needs to point at the first indexed property in the used
         // portion of the vector.
         Butterfly* butterfly = this->butterfly()->shift(structure(), count);
-        setButterfly(vm, butterfly);
         storage = butterfly->arrayStorage();
         storage->m_indexBias += count;
 
         // Since we're consuming part of the vector by moving its beginning to the left,
         // we need to modify the vector length appropriately.
         storage->setVectorLength(vectorLength - count);
+        setButterfly(vm, butterfly);
     } else {
         // The number of elements before the shift region is greater than or equal to the number 
         // of elements after the shift region, so we move the elements after the shift region to the left.
index 6e6779b..a9ee8df 100644 (file)
@@ -3135,6 +3135,7 @@ bool JSObject::increaseVectorLength(VM& vm, unsigned newLength)
         for (unsigned i = vectorLength; i < availableVectorLength; ++i)
             storage->m_vector[i].clear();
         storage->setVectorLength(availableVectorLength);
+        m_butterflyIndexingMask = storage->butterfly()->computeIndexingMask();
         return true;
     }