Commit 01347913 authored by fpizlo@apple.com's avatar fpizlo@apple.com

Structure transitions involving many (> 64) properties sometimes cause structure corruption

https://bugs.webkit.org/show_bug.cgi?id=69102

Reviewed by Darin Adler.
        
Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
don't lead to the dictionary kind being forgotten.
        
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/Structure.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96354 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 40df7f21
2011-09-29 Filip Pizlo <fpizlo@apple.com>
Structure transitions involving many (> 64) properties sometimes cause structure corruption
https://bugs.webkit.org/show_bug.cgi?id=69102
Reviewed by Darin Adler.
Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
don't lead to the dictionary kind being forgotten.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/Structure.h:
2011-09-29 Yuqiang Xian <yuqiang.xian@intel.com>
DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT
......@@ -202,7 +202,7 @@ Structure::Structure(JSGlobalData& globalData, const Structure* previous)
, m_classInfo(previous->m_classInfo)
, m_propertyStorageCapacity(previous->m_propertyStorageCapacity)
, m_offset(noOffset)
, m_dictionaryKind(NoneDictionaryKind)
, m_dictionaryKind(previous->m_dictionaryKind)
, m_isPinnedPropertyTable(false)
, m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
, m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)
......
......@@ -237,9 +237,9 @@ namespace JSC {
bool isValid(ExecState*, StructureChain* cachedPrototypeChain) const;
static const signed char s_maxTransitionLength = 64;
static const int s_maxTransitionLength = 64;
static const signed char noOffset = -1;
static const int noOffset = -1;
static const unsigned maxSpecificFunctionThrashCount = 3;
......@@ -264,7 +264,7 @@ namespace JSC {
uint32_t m_propertyStorageCapacity;
// m_offset does not account for anonymous slots
signed char m_offset;
int m_offset;
unsigned m_dictionaryKind : 2;
bool m_isPinnedPropertyTable : 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment