Changeset 225933 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.h

Timestamp:

Dec 14, 2017, 2:28:09 PM (8 years ago)

Author:

[email protected]

Message:

Fix assertion in JSObject's structure setting methods
​https://bugs.webkit.org/show_bug.cgi?id=180840

Reviewed by Mark Lam.

I forgot that when Typed Arrays have non-indexed properties
added to them, they call the generic code. The generic code
in turn calls the regular structure setting methods. Thus,
these assertions were invalid and we should just avoid setting
the indexing mask if we have a Typed Array.

• runtime/JSObject.h:

(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -1266 +1266 @@
 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
 {
-    ASSERT(!structure()->hijacksIndexingHeader());
-    m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!structure(vm)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
@@ -1281 +1281 @@
 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
 {
-    ASSERT(!vm.getStructure(oldStructureID)->hijacksIndexingHeader());
-    m_butterflyIndexingMask = butterfly->computeIndexingMask();
+    if (LIKELY(!vm.getStructure(oldStructureID)->hijacksIndexingHeader()))
+        m_butterflyIndexingMask = butterfly->computeIndexingMask();
     ASSERT(m_butterflyIndexingMask >= butterfly->vectorLength());
     if (isX86() || vm.heap.mutatorShouldBeFenced()) {