Commit 652ada99 authored by ggaren@apple.com's avatar ggaren@apple.com

Fixed a crash seen on the GTK 64bit buildbot.

        
Reviewed by Oliver Hunt.

When JSArray is allocated for the vptr stealing hack, it's not allocated
in the heap, so the JSArray constructor can't safely call Heap::heap().
        
Since this was subtle enough to confuse smart people, I've changed JSArray
to have an explicit vptr stealing constructor.

* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/JSArray.cpp:
(JSC::JSArray::JSArray):
* runtime/JSArray.h:
(JSC::JSArray::):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::storeVPtrs):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64602 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent eb9b418d
2010-08-03 Geoffrey Garen <ggaren@apple.com>
Reviewed by Oliver Hunt.
Fixed a crash seen on the GTK 64bit buildbot.
When JSArray is allocated for the vptr stealing hack, it's not allocated
in the heap, so the JSArray constructor can't safely call Heap::heap().
Since this was subtle enough to confuse smart people, I've changed JSArray
to have an explicit vptr stealing constructor.
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/JSArray.cpp:
(JSC::JSArray::JSArray):
* runtime/JSArray.h:
(JSC::JSArray::):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::storeVPtrs):
2010-08-03 Alex Milowski <alex@milowski.com>
Reviewed by Beth Dakin.
......
......@@ -2293,7 +2293,6 @@
isa = PBXProject;
buildConfigurationList = 149C277108902AFE008A9EFC /* Build configuration list for PBXProject "JavaScriptCore" */;
compatibilityVersion = "Xcode 2.4";
developmentRegion = English;
hasScannedForEncodings = 1;
knownRegions = (
English,
......
......@@ -126,6 +126,24 @@ inline void JSArray::checkConsistency(ConsistencyCheckType)
#endif
JSArray::JSArray(VPtrStealingHackType)
: JSObject(createStructure(jsNull()))
{
unsigned initialCapacity = 0;
ArrayStorage* storage = static_cast<ArrayStorage*>(fastZeroedMalloc(storageSize(initialCapacity)));
storage->m_allocBase = storage;
m_indexBias = 0;
setArrayStorage(storage);
m_vectorLength = initialCapacity;
checkConsistency();
// It's not safe to call Heap::heap(this) in order to report extra memory
// cost here, because the VPtrStealingHackType JSArray is not allocated on
// the heap. For the same reason, it's OK not to report extra cost.
}
JSArray::JSArray(NonNullPassRefPtr<Structure> structure)
: JSObject(structure)
{
......
......@@ -62,6 +62,9 @@ namespace JSC {
friend class Walker;
public:
enum VPtrStealingHackType { VPtrStealingHack };
JSArray(VPtrStealingHackType);
explicit JSArray(NonNullPassRefPtr<Structure>);
JSArray(NonNullPassRefPtr<Structure>, unsigned initialLength, ArrayCreationMode);
JSArray(NonNullPassRefPtr<Structure>, const ArgList& initialValues);
......
......@@ -85,7 +85,7 @@ void JSGlobalData::storeVPtrs()
void* storage = &cell;
COMPILE_ASSERT(sizeof(JSArray) <= sizeof(CollectorCell), sizeof_JSArray_must_be_less_than_CollectorCell);
JSCell* jsArray = new (storage) JSArray(JSArray::createStructure(jsNull()));
JSCell* jsArray = new (storage) JSArray(JSArray::VPtrStealingHack);
JSGlobalData::jsArrayVPtr = jsArray->vptr();
jsArray->~JSCell();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment