From 71c444bd446bc5e7e8fee9782dcef7b9fa07784f Mon Sep 17 00:00:00 2001 From: "keith_miller@apple.com" Date: Thu, 4 Jan 2018 20:58:31 +0000 Subject: [PATCH] Array Storage operations sometimes did not update the indexing mask correctly. https://bugs.webkit.org/show_bug.cgi?id=181301 Reviewed by Mark Lam. I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303 * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithArrayStorage): * runtime/JSObject.cpp: (JSC::JSObject::increaseVectorLength): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226416 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- Source/JavaScriptCore/ChangeLog | 14 ++++++++++++++ Source/JavaScriptCore/runtime/JSArray.cpp | 2 +- Source/JavaScriptCore/runtime/JSObject.cpp | 1 + 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 834f2a3..2d32f1c 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,17 @@ +2018-01-04 Keith Miller + + Array Storage operations sometimes did not update the indexing mask correctly. + https://bugs.webkit.org/show_bug.cgi?id=181301 + + Reviewed by Mark Lam. + + I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303 + + * runtime/JSArray.cpp: + (JSC::JSArray::shiftCountWithArrayStorage): + * runtime/JSObject.cpp: + (JSC::JSObject::increaseVectorLength): + 2018-01-04 Yusuke Suzuki [DFG] Define defs for MapSet/SetAdd to participate in CSE diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp index 6897fcb..2244d72 100644 --- a/Source/JavaScriptCore/runtime/JSArray.cpp +++ b/Source/JavaScriptCore/runtime/JSArray.cpp @@ -835,13 +835,13 @@ bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned c // the start of the Butterfly, which needs to point at the first indexed property in the used // portion of the vector. Butterfly* butterfly = this->butterfly()->shift(structure(), count); - setButterfly(vm, butterfly); storage = butterfly->arrayStorage(); storage->m_indexBias += count; // Since we're consuming part of the vector by moving its beginning to the left, // we need to modify the vector length appropriately. storage->setVectorLength(vectorLength - count); + setButterfly(vm, butterfly); } else { // The number of elements before the shift region is greater than or equal to the number // of elements after the shift region, so we move the elements after the shift region to the left. diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp index 6e6779b..a9ee8df 100644 --- a/Source/JavaScriptCore/runtime/JSObject.cpp +++ b/Source/JavaScriptCore/runtime/JSObject.cpp @@ -3135,6 +3135,7 @@ bool JSObject::increaseVectorLength(VM& vm, unsigned newLength) for (unsigned i = vectorLength; i < availableVectorLength; ++i) storage->m_vector[i].clear(); storage->setVectorLength(availableVectorLength); + m_butterflyIndexingMask = storage->butterfly()->computeIndexingMask(); return true; } -- 1.8.3.1