Context Navigation

← Previous Change
Next Change →

JSObjectInlines.h

Timestamp:

Dec 16, 2017, 10:20:04 AM (7 years ago)

Author:

Message:

Indexing should only be computed when the new structure has an indexing header.
https://bugs.webkit.org/show_bug.cgi?id=180895

Reviewed by Saam Barati.

If we don't have an indexing header then we point the butterfly
sizeof(IndexingHeader) past the end of the butterfly. This makes
the computation of the offset simpler since it doesn't depend on
the indexing headeriness of the butterfly.

jit/JITOperations.cpp:
runtime/JSObject.cpp:

(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):

runtime/JSObject.h:

(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):

runtime/JSObjectInlines.h:

(JSC::JSObject::prepareToPutDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):

File:

: 1 edited

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

-              r224927
+              r226000
             if (newOutOfLineCapacity != oldOutOfLineCapacity) {
                 Butterfly* butterfly = allocateMoreOutOfLineStorage(vm, oldOutOfLineCapacity, newOutOfLineCapacity);
                 nukeStructureAndSetButterfly(vm, structureID, butterfly);
+                nukeStructureAndSetButterfly(vm, structureID, butterfly, structure->indexingType());
                 structure->setLastOffset(newLastOffset);
                 WTF::storeStoreFence();
 …
             ASSERT(newStructure != this->structure());
             newButterfly = allocateMoreOutOfLineStorage(vm, currentCapacity, newStructure->outOfLineCapacity());
             nukeStructureAndSetButterfly(vm, structureID, newButterfly);
+            nukeStructureAndSetButterfly(vm, structureID, newButterfly, newStructure->indexingType());
+        }
 …
     if (oldCapacity != newCapacity) {
         Butterfly* newButterfly = allocateMoreOutOfLineStorage(vm, oldCapacity, newCapacity);
         nukeStructureAndSetButterfly(vm, structureID, newButterfly);
+        nukeStructureAndSetButterfly(vm, structureID, newButterfly, newStructure->indexingType());
+    }
     putDirect(vm, offset, value);

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 226000 in webkit for trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

Legend:

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

Download in other formats: