Changeset 54265 in webkit for trunk/JavaScriptCore/runtime/PropertyMapHashTable.h

Timestamp:

Feb 2, 2010, 5:13:47 PM (15 years ago)

Author:

[email protected]

Message:

2010-02-02 Oliver Hunt <​[email protected]>

Reviewed by Geoffrey Garen.

Crash in CollectorBitmap::get at nbcolympics.com
​https://bugs.webkit.org/show_bug.cgi?id=34504

This was caused by the use of m_offset to determine the offset of
a new property into the property storage. This patch corrects
the effected cases by incorporating the anonymous slot count. It
also removes the duplicate copy of anonymous slot count from the
property table as keeping this up to date merely increased the
chance of a mismatch. Finally I've added a large number of
assertions in an attempt to prevent such a bug from happening
again.

With the new assertions in place the existing anonymous slot tests
all fail without the m_offset fixes.

• runtime/PropertyMapHashTable.h:
• runtime/Structure.cpp: (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::copyPropertyTable): (JSC::Structure::get): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable): (JSC::Structure::rehashPropertyMapHashTable): (JSC::Structure::checkConsistency):

File:

• trunk/JavaScriptCore/runtime/PropertyMapHashTable.h (modified) (1 diff)

trunk/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -62 +62 @@
         unsigned keyCount;
         unsigned deletedSentinelCount;
-        unsigned anonymousSlotCount;
         unsigned lastIndexUsed;
         Vector<unsigned>* deletedOffsets;