diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 6a1d945b42f8d5a28051f35ea49c6785ffd0dc68..98cdf806732f2bf84c942e484a565f9a487dc35b 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,16 @@ +2013-08-21 Mark Hahnenberg + + Remove incorrect ASSERT from CopyVisitor::visitItem + + Rubber stamped by Filip Pizlo. + + Added a new test that triggered the old ASSERT. It's a useful test to have because we create + TypedArrays with custom properties. + + * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt: Added. + * fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html: Added. + * fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js: Added. + 2013-08-21 Tim Horton REGRESSION(r154399): broke Mac ML debug WK1 tests > 50 crashes (Requested by thorton on #webkit). diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt b/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..872091e541282c895606565180f447b45eacce98 --- /dev/null +++ b/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented-expected.txt @@ -0,0 +1,10 @@ +JSRegress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS no exception thrown +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html b/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html new file mode 100644 index 0000000000000000000000000000000000000000..477483fa8cf69b38d0a5c309b8487eca869c7092 --- /dev/null +++ b/LayoutTests/fast/js/regress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js new file mode 100644 index 0000000000000000000000000000000000000000..dd1ca9c7ee0842c63c2efb2d42b7e89d65186732 --- /dev/null +++ b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.js @@ -0,0 +1,19 @@ +var array = new Array(10000); + +var fragmentedArray = []; + +for (var i = 0; i < 100000; ++i) { + var newArray = new Int8Array(new ArrayBuffer(1000)); + if (i % 10 === 0) + newArray.customProperty = "foo"; + for (var j = 0; j < 10; j++) + fragmentedArray = new Array(10); + array[i % array.length] = newArray; +} + +for (var i = 0; i < array.length; ++i) { + if (array[i].length != 1000) + throw "Error: bad length: " + array[i].length; + if (array[i].buffer.byteLength != 1000) + throw "Error: bad buffer.byteLength: " + array[i].buffer.byteLength; +} diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 860a1ea94520a28daaf04594f66fd9f92bbf6bbf..cb04d8a556465312f791236d0bbafeb39e187a22 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,12 @@ +2013-08-21 Mark Hahnenberg + + Remove incorrect ASSERT from CopyVisitor::visitItem + + Rubber stamped by Filip Pizlo. + + * heap/CopyVisitorInlines.h: + (JSC::CopyVisitor::visitItem): + 2013-08-21 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=120127 diff --git a/Source/JavaScriptCore/heap/CopyVisitorInlines.h b/Source/JavaScriptCore/heap/CopyVisitorInlines.h index c2a741af76e0bbd218dc23a51d6213093753d3f0..78a7565e2fee0de5f9f70be917ea5bd27f9a7641 100644 --- a/Source/JavaScriptCore/heap/CopyVisitorInlines.h +++ b/Source/JavaScriptCore/heap/CopyVisitorInlines.h @@ -37,7 +37,6 @@ namespace JSC { inline void CopyVisitor::visitItem(CopyWorklistItem item) { if (item.token() == ButterflyCopyToken) { - ASSERT(item.cell()->structure()->classInfo()->methodTable.copyBackingStore == JSObject::copyBackingStore); JSObject::copyBackingStore(item.cell(), *this, ButterflyCopyToken); return; }