Ignore:
Timestamp:
Aug 21, 2013, 1:53:57 PM (12 years ago)
Author:
[email protected]
Message:

Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
https://bugs.webkit.org/show_bug.cgi?id=120099

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
JSDataView may have ordinary JS indexed properties.

  • runtime/ClassInfo.h:
  • runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::finishCreation):

  • runtime/JSArrayBufferView.h:

(JSC::hasArrayBuffer):

  • runtime/JSArrayBufferViewInlines.h:

(JSC::JSArrayBufferView::buffer):
(JSC::JSArrayBufferView::neuter):
(JSC::JSArrayBufferView::byteOffset):

  • runtime/JSCell.cpp:

(JSC::JSCell::slowDownAndWasteMemory):

  • runtime/JSCell.h:
  • runtime/JSDataView.cpp:

(JSC::JSDataView::JSDataView):
(JSC::JSDataView::create):
(JSC::JSDataView::slowDownAndWasteMemory):

  • runtime/JSDataView.h:

(JSC::JSDataView::buffer):

  • runtime/JSGenericTypedArrayView.h:
  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::::visitChildren):
(JSC::::slowDownAndWasteMemory):

LayoutTests:

Reviewed by Mark Hahnenberg.

  • fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived-expected.txt: Added.
  • fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived.html: Added.
  • fast/js/regress/ArrayBuffer-DataView-alloc-long-lived-expected.txt: Added.
  • fast/js/regress/ArrayBuffer-DataView-alloc-long-lived.html: Added.
  • fast/js/regress/DataView-custom-properties-expected.txt: Added.
  • fast/js/regress/DataView-custom-properties.html: Added.
  • fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-large-long-lived.js: Added.
  • fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-long-lived.js: Added.
  • fast/js/regress/script-tests/DataView-custom-properties.js: Added.
  • platform/mac/TestExpectations:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSCell.h

    r154373 r154408  
    168168    static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
    169169    static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
    170     JS_EXPORT_PRIVATE static NO_RETURN_DUE_TO_CRASH void slowDownAndWasteMemory(JSArrayBufferView*);
     170    JS_EXPORT_PRIVATE static ArrayBuffer* slowDownAndWasteMemory(JSArrayBufferView*);
    171171    JS_EXPORT_PRIVATE static PassRefPtr<ArrayBufferView> getTypedArrayImpl(JSArrayBufferView*);
    172172
Note: See TracChangeset for help on using the changeset viewer.