Structure::flattenDictionary() should clear unused property slots.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Mar 2019 16:18:10 +0000 (16:18 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Mar 2019 16:18:10 +0000 (16:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=195871
<rdar://problem/48959497>

Reviewed by Michael Saboff.

JSTests:

* stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.

Source/JavaScriptCore:

It currently attempts to do this but fails because it's actually clearing up the
preCapacity region instead.  The fix is simply to account for the preCapacity
when computing the start address of the property slots.

* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243069 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Structure.cpp

index adc0649..caef4ff 100644 (file)
@@ -1,3 +1,13 @@
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+
 2019-03-15  Mark Lam  <mark.lam@apple.com>
 
         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
diff --git a/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js b/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js
new file mode 100644 (file)
index 0000000..5e72638
--- /dev/null
@@ -0,0 +1,11 @@
+// This test should not crash.
+
+var arr = [];
+arr.x = 0;
+arr.y = 0;
+delete arr["x"];
+
+for (var i = 0; i < 2; ++i)
+    arr.unshift(i);
+
+arr.z = 42;
index 508b33b..e869997 100644 (file)
@@ -1,3 +1,18 @@
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        It currently attempts to do this but fails because it's actually clearing up the
+        preCapacity region instead.  The fix is simply to account for the preCapacity
+        when computing the start address of the property slots.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
 2019-03-18  Robin Morisset  <rmorisset@apple.com>
 
         B3 should reduce Shl(<S|Z>Shr(@x, @const), @const) to BitAnd(@x, -(1<<@const))
index ddf6821..3ca96ad 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -778,10 +778,10 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
             (inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
 
         Butterfly* butterfly = object->butterfly();
-        memset(
-            butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
-            0,
-            (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+        size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
+        void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
+        void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
+        memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
     }