Ignore:
Timestamp:
Feb 5, 2016, 11:52:19 AM (9 years ago)
Author:
[email protected]
Message:

Arrayify for a typed array shouldn't create a monster
https://bugs.webkit.org/show_bug.cgi?id=153908
rdar://problem/24290639

Reviewed by Mark Lam.

Previously if you convinced the DFG to emit an Arrayify to ArrayStorage and then gave it a
typed array, you'd corrupt the object.

  • runtime/JSArrayBufferView.cpp:

(WTF::printInternal):

  • runtime/JSArrayBufferView.h:
  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):

  • runtime/JSObject.cpp:

(JSC::JSObject::copyButterfly):
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::ensureInt32Slow):
(JSC::JSObject::ensureDoubleSlow):
(JSC::JSObject::ensureContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC::JSObject::growOutOfLineStorage):
(JSC::getBoundSlotBaseFunctionForGetterSetter):

  • runtime/Structure.h:
  • tests/stress/arrayify-array-storage-typed-array.js: Added. This test failed.
  • tests/stress/arrayify-int32-typed-array.js: Added. This test case already had other protections, but we beefed them up.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/Structure.h

    r194869 r196179  
    11/*
    2  * Copyright (C) 2008, 2009, 2012-2015 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008, 2009, 2012-2016 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    321321            && (offset < m_inlineCapacity || offset >= firstOutOfLineOffset);
    322322    }
     323
     324    bool hijacksIndexingHeader() const
     325    {
     326        return isTypedView(m_classInfo->typedArrayStorageType);
     327    }
    323328   
    324329    bool couldHaveIndexingHeader() const
    325330    {
    326331        return hasIndexedProperties(indexingType())
    327             || isTypedView(m_classInfo->typedArrayStorageType);
     332            || hijacksIndexingHeader();
    328333    }
    329334   
Note: See TracChangeset for help on using the changeset viewer.