Map should not be in JSGlobalObject's static hashtable because it's initialized eager...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 May 2016 19:01:35 +0000 (19:01 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 May 2016 19:01:35 +0000 (19:01 +0000)
https://bugs.webkit.org/show_bug.cgi?id=158031
rdar://problem/26353661

Reviewed by Geoffrey Garen.

We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
not a LazyClassStructure<> and there is nothing lazy about it.

* runtime/JSGlobalObject.cpp: The fix is to remove Map here.
* runtime/Lookup.cpp: Add some dumping on the assert path.
(JSC::setUpStaticFunctionSlot):
* tests/stress/override-map-constructor.js: Added. This test used to crash.
(Map):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201340 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/Lookup.cpp
Source/JavaScriptCore/tests/stress/override-map-constructor.js [new file with mode: 0644]

index 7feb177..db31037 100644 (file)
@@ -1,5 +1,22 @@
 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
 
+        Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
+        https://bugs.webkit.org/show_bug.cgi?id=158031
+        rdar://problem/26353661
+
+        Reviewed by Geoffrey Garen.
+        
+        We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
+        not a LazyClassStructure<> and there is nothing lazy about it.
+
+        * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
+        * runtime/Lookup.cpp: Add some dumping on the assert path.
+        (JSC::setUpStaticFunctionSlot):
+        * tests/stress/override-map-constructor.js: Added. This test used to crash.
+        (Map):
+
+2016-05-24  Filip Pizlo  <fpizlo@apple.com>
+
         LLInt64 should have typed array fast paths for get_by_val
         https://bugs.webkit.org/show_bug.cgi?id=157931
 
index 02b612d..7a5b05c 100644 (file)
@@ -239,7 +239,6 @@ const GlobalObjectMethodTable JSGlobalObject::s_globalObjectMethodTable = { &all
   Float64Array          JSGlobalObject::m_typedArrayFloat64          DontEnum|ClassStructure
   DataView              JSGlobalObject::m_typedArrayDataView         DontEnum|ClassStructure
   Set                   JSGlobalObject::m_setStructure               DontEnum|ClassStructure
-  Map                   JSGlobalObject::m_mapStructure               DontEnum|ClassStructure
   Date                  JSGlobalObject::m_dateStructure              DontEnum|ClassStructure
   Boolean               JSGlobalObject::m_booleanObjectStructure     DontEnum|ClassStructure
   Number                JSGlobalObject::m_numberObjectStructure      DontEnum|ClassStructure
index 2e41ca1..2ef4744 100644 (file)
@@ -77,11 +77,16 @@ bool setUpStaticFunctionSlot(ExecState* exec, const HashTableValue* entry, JSObj
         } else if (entry->attributes() & PropertyCallback) {
             JSValue result = entry->lazyPropertyCallback()(vm, thisObj);
             thisObj->putDirect(vm, propertyName, result, attributesForStructure(entry->attributes()));
-        } else
+        } else {
+            dataLog("Static hashtable entry for ", propertyName, " has weird attributes: ", entry->attributes(), "\n");
             RELEASE_ASSERT_NOT_REACHED();
+        }
 
         offset = thisObj->getDirectOffset(vm, propertyName, attributes);
-        RELEASE_ASSERT(isValidOffset(offset));
+        if (!isValidOffset(offset)) {
+            dataLog("Static hashtable initialiation for ", propertyName, " did not produce a property.\n");
+            RELEASE_ASSERT_NOT_REACHED();
+        }
     }
 
     if (isAccessor)
diff --git a/Source/JavaScriptCore/tests/stress/override-map-constructor.js b/Source/JavaScriptCore/tests/stress/override-map-constructor.js
new file mode 100644 (file)
index 0000000..d98fa5a
--- /dev/null
@@ -0,0 +1,2 @@
+function Map() {
+}