Changeset 54129 in webkit for trunk/JavaScriptCore/runtime/Structure.cpp

Timestamp:

Feb 1, 2010, 1:43:01 AM (15 years ago)

Author:

[email protected]

Message:

2010-01-31 Oliver Hunt <​[email protected]>

Reviewed by Maciej Stachowiak.

JSC is failing to propagate anonymous slot count on some transitions
​https://bugs.webkit.org/show_bug.cgi?id=34321

Remove secondary Structure constructor, and make Structure store a copy
of the number of anonymous slots directly so saving an immediate allocation
of a property map for all structures with anonymous storage, which also
avoids the leaked property map on new property transition in the original
version of this patch.

We need to propagate the the anonymous slot count otherwise we can end up
with a structure recording incorrect information about the available and
needed space for property storage, or alternatively incorrectly reusing
some slots.

• JavaScriptCore.exp:
• runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransition): (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::getterSetterTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::copyPropertyTable): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable):
• runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::hasAnonymousSlots): (JSC::Structure::anonymousSlotCount):

2010-02-01 Oliver Hunt <​[email protected]>

Reviewed by Maciej Stachowiak.

JSC is failing to propagate anonymous slot count on some transitions
​https://bugs.webkit.org/show_bug.cgi?id=34321

Add test case for modifying DOM objects with anonymous storage.

• fast/dom/Window/anonymous-slot-with-changes-expected.txt: Added.
• fast/dom/Window/anonymous-slot-with-changes.html: Added.

File:

• trunk/JavaScriptCore/runtime/Structure.cpp (modified) (20 diffs)

trunk/JavaScriptCore/runtime/Structure.cpp

@@ -124 +124 @@
 }
 
-Structure::Structure(JSValue prototype, const TypeInfo& typeInfo)
+Structure::Structure(JSValue prototype, const TypeInfo& typeInfo, unsigned anonymousSlotCount)
     : m_typeInfo(typeInfo)
     , m_prototype(prototype)
@@ -136 +136 @@
     , m_attributesInPrevious(0)
     , m_specificFunctionThrashCount(0)
+    , m_anonymousSlotCount(anonymousSlotCount)
 {
     ASSERT(m_prototype);
@@ -272 +273 @@
             rehashPropertyMapHashTable(sizeForKeyCount(m_offset + 1)); // This could be made more efficient by combining with the copy above. 
     }
-
+    
+    m_propertyTable->anonymousSlotCount = m_anonymousSlotCount;
     for (ptrdiff_t i = structures.size() - 2; i >= 0; --i) {
         structure = structures[i];
@@ -367 +369 @@
     }
 
-    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
+    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo(), structure->anonymousSlotCount());
 
     transition->m_cachedPrototypeChain = structure->m_cachedPrototypeChain;
@@ -380 +382 @@
 
     if (structure->m_propertyTable) {
+        ASSERT(structure->m_propertyTable->anonymousSlotCount == structure->m_anonymousSlotCount);
         if (structure->m_isPinnedPropertyTable)
             transition->m_propertyTable = structure->copyPropertyTable();
@@ -398 +401 @@
 
     transition->m_offset = offset;
-
+    ASSERT(structure->anonymousSlotCount() == transition->anonymousSlotCount());
     structure->table.add(make_pair(propertyName.ustring().rep(), attributes), transition.get(), specificValue);
     return transition.release();
@@ -416 +419 @@
 PassRefPtr<Structure> Structure::changePrototypeTransition(Structure* structure, JSValue prototype)
 {
-    RefPtr<Structure> transition = create(prototype, structure->typeInfo());
+    RefPtr<Structure> transition = create(prototype, structure->typeInfo(), structure->anonymousSlotCount());
 
     transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
@@ -428 +431 @@
     transition->m_propertyTable = structure->copyPropertyTable();
     transition->m_isPinnedPropertyTable = true;
-
+    
+    ASSERT(structure->anonymousSlotCount() == transition->anonymousSlotCount());
     return transition.release();
 }
@@ -435 +439 @@
 {
     ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount);
-    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
+    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo(), structure->anonymousSlotCount());
 
     transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
@@ -454 +458 @@
         ASSERT_UNUSED(removed, removed);
     }
-
+    
+    ASSERT(structure->anonymousSlotCount() == transition->anonymousSlotCount());
     return transition.release();
 }
@@ -460 +465 @@
 PassRefPtr<Structure> Structure::getterSetterTransition(Structure* structure)
 {
-    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
+    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo(), structure->anonymousSlotCount());
     transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
     transition->m_hasGetterSetterProperties = transition->m_hasGetterSetterProperties;
@@ -471 +476 @@
     transition->m_propertyTable = structure->copyPropertyTable();
     transition->m_isPinnedPropertyTable = true;
-
+    
+    ASSERT(structure->anonymousSlotCount() == transition->anonymousSlotCount());
     return transition.release();
 }
@@ -479 +485 @@
     ASSERT(!structure->isUncacheableDictionary());
     
-    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
+    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo(), structure->anonymousSlotCount());
     transition->m_dictionaryKind = kind;
     transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
@@ -490 +496 @@
     transition->m_isPinnedPropertyTable = true;
     
+    ASSERT(structure->anonymousSlotCount() == transition->anonymousSlotCount());
     return transition.release();
 }
@@ -523 +530 @@
         // reorder the storage, so we have to copy the current values out
         Vector<JSValue> values(propertyCount);
+        ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
         unsigned anonymousSlotCount = m_propertyTable->anonymousSlotCount;
         for (unsigned i = 0; i < propertyCount; i++) {
@@ -613 +621 @@
     if (!m_propertyTable)
         return 0;
-
+    
+    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
     size_t tableSize = PropertyMapHashTable::allocationSize(m_propertyTable->size);
     PropertyMapHashTable* newTable = static_cast<PropertyMapHashTable*>(fastMalloc(tableSize));
@@ -755 +764 @@
     if (!m_propertyTable)
         createPropertyMapHashTable();
+    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
 
     // FIXME: Consider a fast case for tables with no deleted sentinels.
@@ -849 +859 @@
     if (!m_propertyTable)
         return notFound;
-
+    
+    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
 #if DUMP_PROPERTYMAP_STATS
     ++numProbes;
@@ -913 +924 @@
 {
     ASSERT(m_propertyTable);
-
+    
+    ASSERT(m_propertyTable->anonymousSlotCount == m_anonymousSlotCount);
     unsigned i = entry.key->existingHash();
     unsigned k = 0;
@@ -963 +975 @@
     m_propertyTable->size = newTableSize;
     m_propertyTable->sizeMask = newTableSize - 1;
+    m_propertyTable->anonymousSlotCount = m_anonymousSlotCount;
 
     checkConsistency();