Remove incorrect ASSERT from CopyVisitor::visitItem
authormhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Aug 2013 20:31:02 +0000 (20:31 +0000)
committermhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Aug 2013 20:31:02 +0000 (20:31 +0000)
Rubber stamped by Filip Pizlo.

Source/JavaScriptCore:

* heap/CopyVisitorInlines.h:
(JSC::CopyVisitor::visitItem):

LayoutTests:

Added a new test that triggered the old ASSERT. It's a useful test to have because we create
TypedArrays with custom properties.

* fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt: Added.
* fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html: Added.
* fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@154407 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html [new file with mode: 0644]
LayoutTests/fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/CopyVisitorInlines.h

index 6a1d945..98cdf80 100644 (file)
@@ -1,3 +1,16 @@
+2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Remove incorrect ASSERT from CopyVisitor::visitItem
+
+        Rubber stamped by Filip Pizlo.
+
+        Added a new test that triggered the old ASSERT. It's a useful test to have because we create
+        TypedArrays with custom properties.
+
+        * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt: Added.
+        * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html: Added.
+        * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js: Added.
+
 2013-08-21  Tim Horton  <timothy_horton@apple.com>
 
         REGRESSION(r154399): broke Mac ML debug WK1 tests > 50 crashes (Requested by thorton on #webkit).
diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt b/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt
new file mode 100644 (file)
index 0000000..872091e
--- /dev/null
@@ -0,0 +1,10 @@
+JSRegress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html b/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html
new file mode 100644 (file)
index 0000000..477483f
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="resources/regress-pre.js"></script>
+<script src="script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js"></script>
+<script src="resources/regress-post.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js
new file mode 100644 (file)
index 0000000..dd1ca9c
--- /dev/null
@@ -0,0 +1,19 @@
+var array = new Array(10000);
+
+var fragmentedArray = [];
+
+for (var i = 0; i < 100000; ++i) {
+    var newArray = new Int8Array(new ArrayBuffer(1000));
+    if (i % 10 === 0)
+        newArray.customProperty = "foo";
+    for (var j = 0; j < 10; j++)
+        fragmentedArray = new Array(10);
+    array[i % array.length] = newArray;
+}
+
+for (var i = 0; i < array.length; ++i) {
+    if (array[i].length != 1000)
+        throw "Error: bad length: " + array[i].length;
+    if (array[i].buffer.byteLength != 1000)
+        throw "Error: bad buffer.byteLength: " + array[i].buffer.byteLength;
+}
index 860a1ea..cb04d8a 100644 (file)
@@ -1,3 +1,12 @@
+2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Remove incorrect ASSERT from CopyVisitor::visitItem
+
+        Rubber stamped by Filip Pizlo.
+
+        * heap/CopyVisitorInlines.h:
+        (JSC::CopyVisitor::visitItem):
+
 2013-08-21  Gavin Barraclough  <barraclough@apple.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=120127
index c2a741a..78a7565 100644 (file)
@@ -37,7 +37,6 @@ namespace JSC {
 inline void CopyVisitor::visitItem(CopyWorklistItem item)
 {
     if (item.token() == ButterflyCopyToken) {
-        ASSERT(item.cell()->structure()->classInfo()->methodTable.copyBackingStore == JSObject::copyBackingStore);
         JSObject::copyBackingStore(item.cell(), *this, ButterflyCopyToken);
         return;
     }