diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 98cdf806732f2bf84c942e484a565f9a487dc35b..2bb17bd34d96d56bf46bd5506b781c3ebce03d11 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,21 @@ +2013-08-21 Filip Pizlo + + Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView + https://bugs.webkit.org/show_bug.cgi?id=120099 + + Reviewed by Mark Hahnenberg. + + * fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived-expected.txt: Added. + * fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived.html: Added. + * fast/js/regress/ArrayBuffer-DataView-alloc-long-lived-expected.txt: Added. + * fast/js/regress/ArrayBuffer-DataView-alloc-long-lived.html: Added. + * fast/js/regress/DataView-custom-properties-expected.txt: Added. + * fast/js/regress/DataView-custom-properties.html: Added. + * fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-large-long-lived.js: Added. + * fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-long-lived.js: Added. + * fast/js/regress/script-tests/DataView-custom-properties.js: Added. + * platform/mac/TestExpectations: + 2013-08-21 Mark Hahnenberg Remove incorrect ASSERT from CopyVisitor::visitItem diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived-expected.txt b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..f16458d964fd824cd78b0060d60e3c79738cbe7b --- /dev/null +++ b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived-expected.txt @@ -0,0 +1,10 @@ +JSRegress/ArrayBuffer-DataView-alloc-large-long-lived + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS no exception thrown +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived.html b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived.html new file mode 100644 index 0000000000000000000000000000000000000000..fd3262d928306ea1bfd5396afbf091414cdc1aca --- /dev/null +++ b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived.html @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-long-lived-expected.txt b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-long-lived-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..c968926681e43bf64cf199bf848e232754628e8b --- /dev/null +++ b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-long-lived-expected.txt @@ -0,0 +1,10 @@ +JSRegress/ArrayBuffer-DataView-alloc-long-lived + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS no exception thrown +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-long-lived.html b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-long-lived.html new file mode 100644 index 0000000000000000000000000000000000000000..e0cf339a648f7fad6e45d35cb5dd3f720d49a5df --- /dev/null +++ b/LayoutTests/fast/js/regress/ArrayBuffer-DataView-alloc-long-lived.html @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/LayoutTests/fast/js/regress/DataView-custom-properties-expected.txt b/LayoutTests/fast/js/regress/DataView-custom-properties-expected.txt new file mode 100644 index 0000000000000000000000000000000000000000..9d2205e4ac32792a1efbc4cf3e0555b6632b2fcf --- /dev/null +++ b/LayoutTests/fast/js/regress/DataView-custom-properties-expected.txt @@ -0,0 +1,10 @@ +JSRegress/DataView-custom-properties + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS no exception thrown +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/fast/js/regress/DataView-custom-properties.html b/LayoutTests/fast/js/regress/DataView-custom-properties.html new file mode 100644 index 0000000000000000000000000000000000000000..fcd334ef45ea8c53a0c2d979e44df3b919d51cc0 --- /dev/null +++ b/LayoutTests/fast/js/regress/DataView-custom-properties.html @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-large-long-lived.js b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-large-long-lived.js new file mode 100644 index 0000000000000000000000000000000000000000..c18cde0198ba1b068afe5c1ec9a7b1a42816271a --- /dev/null +++ b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-large-long-lived.js @@ -0,0 +1,11 @@ +var array = new Array(10000); + +for (var i = 0; i < 100000; ++i) + array[i % array.length] = new DataView(new ArrayBuffer(1000)); + +for (var i = 0; i < array.length; ++i) { + if (array[i].byteLength != 1000) + throw "Error: bad length: " + array[i].byteLength; + if (array[i].buffer.byteLength != 1000) + throw "Error: bad buffer.byteLength: " + array[i].buffer.byteLength; +} diff --git a/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-long-lived.js b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-long-lived.js new file mode 100644 index 0000000000000000000000000000000000000000..3548312f70e3c61a37522f12ad709d985566b3d3 --- /dev/null +++ b/LayoutTests/fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-long-lived.js @@ -0,0 +1,11 @@ +var array = new Array(10000); + +for (var i = 0; i < 70000; ++i) + array[i % array.length] = new DataView(new ArrayBuffer(10)); + +for (var i = 0; i < array.length; ++i) { + if (array[i].byteLength != 10) + throw "Error: bad length: " + array[i].byteLength; + if (array[i].buffer.byteLength != 10) + throw "Error: bad buffer.byteLength: " + array[i].buffer.byteLength; +} diff --git a/LayoutTests/fast/js/regress/script-tests/DataView-custom-properties.js b/LayoutTests/fast/js/regress/script-tests/DataView-custom-properties.js new file mode 100644 index 0000000000000000000000000000000000000000..3ff88dff3248cf12c631e1e7eda2bc5f651ead2c --- /dev/null +++ b/LayoutTests/fast/js/regress/script-tests/DataView-custom-properties.js @@ -0,0 +1,35 @@ +var array = new Array(10000); + +for (var i = 0; i < 100000; ++i) { + var thingy = new DataView(new ArrayBuffer(1000)); + switch (i % 3) { + case 0: + break; + case 1: + thingy.f = 42; + break; + case 2: + thingy[0] = 42; + break; + } + array[i % array.length] = thingy; +} + +for (var i = 0; i < array.length; ++i) { + if (array[i].byteLength != 1000) + throw "Error: bad length: " + array[i].byteLength; + if (array[i].buffer.byteLength != 1000) + throw "Error: bad buffer.byteLength: " + array[i].buffer.byteLength; + switch (i % 3) { + case 0: + break; + case 1: + if (array[i].f != 42) + throw "Error: bad field 'f': " + array[i].f; + break; + case 2: + if (array[i][0] != 42) + throw "Error: bad element 0: " + array[i][0]; + break; + } +} diff --git a/LayoutTests/platform/mac/TestExpectations b/LayoutTests/platform/mac/TestExpectations index 3968955f31c4e6a6fbc196f278a9e9fc8293b357..9758008c3ce3f0e9d37a7137b1ff0e245dff5b04 100644 --- a/LayoutTests/platform/mac/TestExpectations +++ b/LayoutTests/platform/mac/TestExpectations @@ -1312,4 +1312,3 @@ webkit.org/b/120085 [ Lion ] http/tests/inspector/resource-tree/resource-tree-do webkit.org/b/120087 [ Lion ] fast/forms/submit-to-url-fragment.html [ Pass Crash ] -webkit.org/b/120099 [ Debug ] fast/canvas/webgl/array-message-passing.html [ Crash ] diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index cb04d8a556465312f791236d0bbafeb39e187a22..ad06096ec87c8a26e9c544e2c86dd6d481e620d8 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,37 @@ +2013-08-21 Filip Pizlo + + Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView + https://bugs.webkit.org/show_bug.cgi?id=120099 + + Reviewed by Mark Hahnenberg. + + JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since + JSDataView may have ordinary JS indexed properties. + + * runtime/ClassInfo.h: + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): + (JSC::JSArrayBufferView::finishCreation): + * runtime/JSArrayBufferView.h: + (JSC::hasArrayBuffer): + * runtime/JSArrayBufferViewInlines.h: + (JSC::JSArrayBufferView::buffer): + (JSC::JSArrayBufferView::neuter): + (JSC::JSArrayBufferView::byteOffset): + * runtime/JSCell.cpp: + (JSC::JSCell::slowDownAndWasteMemory): + * runtime/JSCell.h: + * runtime/JSDataView.cpp: + (JSC::JSDataView::JSDataView): + (JSC::JSDataView::create): + (JSC::JSDataView::slowDownAndWasteMemory): + * runtime/JSDataView.h: + (JSC::JSDataView::buffer): + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::::visitChildren): + (JSC::::slowDownAndWasteMemory): + 2013-08-21 Mark Hahnenberg Remove incorrect ASSERT from CopyVisitor::visitItem diff --git a/Source/JavaScriptCore/runtime/ClassInfo.h b/Source/JavaScriptCore/runtime/ClassInfo.h index 99ebb26c1fcbd06cc37168f71b53550a14144cb4..6cef13807db48328a684de65eb39fdb7c6153a30 100644 --- a/Source/JavaScriptCore/runtime/ClassInfo.h +++ b/Source/JavaScriptCore/runtime/ClassInfo.h @@ -95,7 +95,7 @@ struct MethodTable { typedef bool (*DefineOwnPropertyFunctionPtr)(JSObject*, ExecState*, PropertyName, PropertyDescriptor&, bool); DefineOwnPropertyFunctionPtr defineOwnProperty; - typedef void (*SlowDownAndWasteMemory)(JSArrayBufferView*); + typedef ArrayBuffer* (*SlowDownAndWasteMemory)(JSArrayBufferView*); SlowDownAndWasteMemory slowDownAndWasteMemory; typedef PassRefPtr (*GetTypedArrayImpl)(JSArrayBufferView*); diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp b/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp index 30acead4cffb48b0cada020449baec6d2ff43f07..555ebcbfc60eef7e4e27d68a4b675a16e869507c 100644 --- a/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp +++ b/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp @@ -96,6 +96,17 @@ JSArrayBufferView::ConstructionContext::ConstructionContext( m_butterfly = Butterfly::create(vm, 0, 0, 0, true, indexingHeader, 0); } +JSArrayBufferView::ConstructionContext::ConstructionContext( + Structure* structure, PassRefPtr arrayBuffer, + unsigned byteOffset, unsigned length, DataViewTag) + : m_structure(structure) + , m_vector(static_cast(arrayBuffer->data()) + byteOffset) + , m_length(length) + , m_mode(DataViewMode) + , m_butterfly(0) +{ +} + JSArrayBufferView::JSArrayBufferView(VM& vm, ConstructionContext& context) : Base(vm, context.structure(), context.butterfly()) , m_vector(context.vector()) @@ -116,6 +127,10 @@ void JSArrayBufferView::finishCreation(VM& vm) case WastefulTypedArray: vm.heap.addReference(this, butterfly()->indexingHeader()->arrayBuffer()); return; + case DataViewMode: + ASSERT(!butterfly()); + vm.heap.addReference(this, jsCast(this)->buffer()); + return; } RELEASE_ASSERT_NOT_REACHED(); } diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferView.h b/Source/JavaScriptCore/runtime/JSArrayBufferView.h index 68b6e7c27f5f7c5b40683be7abc21e318661d63b..b163e6aa57f1d8ca32a8932f79f595386e0b5850 100644 --- a/Source/JavaScriptCore/runtime/JSArrayBufferView.h +++ b/Source/JavaScriptCore/runtime/JSArrayBufferView.h @@ -70,8 +70,19 @@ enum TypedArrayMode { // vector allocated using who-knows-what, and M = WastefulTypedArray. // The view does not own the vector. WastefulTypedArray, + + // A data view. B is unused, V points to a vector allocated using who- + // knows-what, and M = DataViewMode. The view does not own the vector. + // There is an extra field (in JSDataView) that points to the + // ArrayBuffer. + DataViewMode }; +inline bool hasArrayBuffer(TypedArrayMode mode) +{ + return mode >= WastefulTypedArray; +} + // When WebCore uses a JSArrayBufferView, it expects to be able to get the native // ArrayBuffer and little else. This requires slowing down and wasting memory, // and then accessing things via the Butterfly. When JS uses a JSArrayBufferView @@ -110,6 +121,11 @@ protected: VM&, Structure*, PassRefPtr, unsigned byteOffset, unsigned length); + enum DataViewTag { DataView }; + ConstructionContext( + Structure*, PassRefPtr, + unsigned byteOffset, unsigned length, DataViewTag); + bool operator!() const { return !m_structure; } Structure* structure() const { return m_structure; } @@ -137,10 +153,6 @@ protected: static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode); public: - // Allocates the full-on native buffer. Also moves the data into the C heap - // if necessary. - void slowDownAndWasteMemoryIfNecessary(); - TypedArrayMode mode() const { return m_mode; } ArrayBuffer* buffer(); PassRefPtr impl(); diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h b/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h index 59c41ebbed94d67a896899a2af87afea2faa6929..705f2db309dd2d1cbe36b58e4782b7960d3a6a83 100644 --- a/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h +++ b/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h @@ -28,19 +28,20 @@ #include "ArrayBufferView.h" #include "JSArrayBufferView.h" +#include "JSDataView.h" namespace JSC { -inline void JSArrayBufferView::slowDownAndWasteMemoryIfNecessary() -{ - if (m_mode != WastefulTypedArray) - methodTable()->slowDownAndWasteMemory(this); -} - inline ArrayBuffer* JSArrayBufferView::buffer() { - slowDownAndWasteMemoryIfNecessary(); - return butterfly()->indexingHeader()->arrayBuffer(); + switch (m_mode) { + case WastefulTypedArray: + return butterfly()->indexingHeader()->arrayBuffer(); + case DataViewMode: + return jsCast(this)->buffer(); + default: + return methodTable()->slowDownAndWasteMemory(this); + } } inline PassRefPtr JSArrayBufferView::impl() @@ -50,17 +51,15 @@ inline PassRefPtr JSArrayBufferView::impl() inline void JSArrayBufferView::neuter() { - ASSERT(m_mode == WastefulTypedArray); + ASSERT(hasArrayBuffer(m_mode)); m_length = 0; m_vector = 0; } inline unsigned JSArrayBufferView::byteOffset() { - if (m_mode != WastefulTypedArray) { - ASSERT(m_mode == FastTypedArray || m_mode == OversizeTypedArray); + if (!hasArrayBuffer(m_mode)) return 0; - } ptrdiff_t delta = static_cast(m_vector) - static_cast(buffer()->data()); diff --git a/Source/JavaScriptCore/runtime/JSCell.cpp b/Source/JavaScriptCore/runtime/JSCell.cpp index b8677c2c698a7448630260b1388f69058a7a0800..8bf754f9fa8b4c8bf74802a3a3eabaecfcbffb94 100644 --- a/Source/JavaScriptCore/runtime/JSCell.cpp +++ b/Source/JavaScriptCore/runtime/JSCell.cpp @@ -218,9 +218,10 @@ bool JSCell::defineOwnProperty(JSObject*, ExecState*, PropertyName, PropertyDesc return false; } -void JSCell::slowDownAndWasteMemory(JSArrayBufferView*) +ArrayBuffer* JSCell::slowDownAndWasteMemory(JSArrayBufferView*) { RELEASE_ASSERT_NOT_REACHED(); + return 0; } PassRefPtr JSCell::getTypedArrayImpl(JSArrayBufferView*) diff --git a/Source/JavaScriptCore/runtime/JSCell.h b/Source/JavaScriptCore/runtime/JSCell.h index d2dbd41bda1ed9c3c44bf792d248f90c63962a5d..303017ab0ac5c728b5c7963e234b89358f40dddf 100644 --- a/Source/JavaScriptCore/runtime/JSCell.h +++ b/Source/JavaScriptCore/runtime/JSCell.h @@ -167,7 +167,7 @@ protected: static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, PropertyDescriptor&, bool shouldThrow); static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&); static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&); - JS_EXPORT_PRIVATE static NO_RETURN_DUE_TO_CRASH void slowDownAndWasteMemory(JSArrayBufferView*); + JS_EXPORT_PRIVATE static ArrayBuffer* slowDownAndWasteMemory(JSArrayBufferView*); JS_EXPORT_PRIVATE static PassRefPtr getTypedArrayImpl(JSArrayBufferView*); private: diff --git a/Source/JavaScriptCore/runtime/JSDataView.cpp b/Source/JavaScriptCore/runtime/JSDataView.cpp index 58efe4d006031f1edcb53f174ad6b7062285822e..77640cdaf931e00d2ab826905c215c0c89cbb2ff 100644 --- a/Source/JavaScriptCore/runtime/JSDataView.cpp +++ b/Source/JavaScriptCore/runtime/JSDataView.cpp @@ -36,8 +36,9 @@ namespace JSC { const ClassInfo JSDataView::s_info = { "DataView", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSDataView)}; -JSDataView::JSDataView(VM& vm, ConstructionContext& context) +JSDataView::JSDataView(VM& vm, ConstructionContext& context, ArrayBuffer* buffer) : Base(vm, context) + , m_buffer(buffer) { } @@ -52,10 +53,11 @@ JSDataView* JSDataView::create( return 0; } VM& vm = exec->vm(); - ConstructionContext context(vm, structure, buffer, byteOffset, byteLength); + ConstructionContext context( + structure, buffer, byteOffset, byteLength, ConstructionContext::DataView); ASSERT(context); JSDataView* result = - new (NotNull, allocateCell(vm.heap)) JSDataView(vm, context); + new (NotNull, allocateCell(vm.heap)) JSDataView(vm, context, buffer.get()); result->finishCreation(vm); return result; } @@ -95,9 +97,10 @@ bool JSDataView::getOwnPropertySlot( return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot); } -void JSDataView::slowDownAndWasteMemory(JSArrayBufferView*) +ArrayBuffer* JSDataView::slowDownAndWasteMemory(JSArrayBufferView*) { UNREACHABLE_FOR_PLATFORM(); + return 0; } PassRefPtr JSDataView::getTypedArrayImpl(JSArrayBufferView* object) diff --git a/Source/JavaScriptCore/runtime/JSDataView.h b/Source/JavaScriptCore/runtime/JSDataView.h index c141500af61fee5fe834a574f10d20c707d7fff0..950d1d678d4bc1e1e42c4b745a187fb81ac8a807 100644 --- a/Source/JavaScriptCore/runtime/JSDataView.h +++ b/Source/JavaScriptCore/runtime/JSDataView.h @@ -37,7 +37,7 @@ public: static const unsigned elementSize = 1; protected: - JSDataView(VM&, ConstructionContext&); + JSDataView(VM&, ConstructionContext&, ArrayBuffer*); public: static JSDataView* create( @@ -50,6 +50,8 @@ public: static JSDataView* create(ExecState*, Structure*, unsigned length); bool set(ExecState*, JSObject*, unsigned offset, unsigned length); + ArrayBuffer* buffer() const { return m_buffer; } + PassRefPtr typedImpl(); static const TypedArrayType TypedArrayStorageType = TypeDataView; @@ -57,13 +59,16 @@ public: protected: static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&); - static void slowDownAndWasteMemory(JSArrayBufferView*); + static ArrayBuffer* slowDownAndWasteMemory(JSArrayBufferView*); static PassRefPtr getTypedArrayImpl(JSArrayBufferView*); public: static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype); DECLARE_EXPORT_INFO; + +private: + ArrayBuffer* m_buffer; }; } // namespace JSC diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h index d02fc6ac6ec3681b2384e92c4c4b4a4ab83fcd5d..c2984a8aefb0f419c7ea341be55f462ba8ac77b8 100644 --- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h +++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h @@ -244,7 +244,7 @@ protected: // Allocates the full-on native buffer and moves data into the C heap if // necessary. Note that this never allocates in the GC heap. - static void slowDownAndWasteMemory(JSArrayBufferView*); + static ArrayBuffer* slowDownAndWasteMemory(JSArrayBufferView*); static PassRefPtr getTypedArrayImpl(JSArrayBufferView*); }; diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h index 7cc5f099cdb6dec80a55b8fc9a9c02df6f7186a2..7528df5c01e7cff697480a3132e00a478cea3189 100644 --- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h +++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h @@ -379,6 +379,10 @@ void JSGenericTypedArrayView::visitChildren(JSCell* cell, SlotVisitor& case WastefulTypedArray: break; + + case DataViewMode: + RELEASE_ASSERT_NOT_REACHED(); + break; } Base::visitChildren(thisObject, visitor); @@ -403,7 +407,7 @@ void JSGenericTypedArrayView::copyBackingStore( } template -void JSGenericTypedArrayView::slowDownAndWasteMemory(JSArrayBufferView* object) +ArrayBuffer* JSGenericTypedArrayView::slowDownAndWasteMemory(JSArrayBufferView* object) { JSGenericTypedArrayView* thisObject = jsCast(object); @@ -451,7 +455,7 @@ void JSGenericTypedArrayView::slowDownAndWasteMemory(JSArrayBufferView* buffer = ArrayBuffer::createAdopted(thisObject->m_vector, thisObject->byteLength()); break; - case WastefulTypedArray: + default: RELEASE_ASSERT_NOT_REACHED(); break; } @@ -460,6 +464,8 @@ void JSGenericTypedArrayView::slowDownAndWasteMemory(JSArrayBufferView* thisObject->m_vector = buffer->data(); thisObject->m_mode = WastefulTypedArray; heap->addReference(thisObject, buffer.get()); + + return buffer.get(); } template