Assertion failure at JSC::Structure::checkOffsetConsistency() const +…

… 234. <https://webkit.org/b/133356> Reviewed by Mark Hahnenberg. Source/JavaScriptCore: The root cause of this issue is that a nonPropertyTransition can transition a pinned dictionary structure to an unpinned dictionary structure. The new structure will get a copy of the property table from the original structure. However, when a GC occurs, the property table in the new structure will be cleared because it is unpinned. This leads to complications in subsequent derivative structures when flattening occurs, which eventually leads to the assertion failure in this bug. The fix is to ensure that the new dictionary structure generated by the nonPropertyTransition will have a copy of its predecessor's property table and is pinned. * runtime/Structure.cpp: (JSC::Structure::nonPropertyTransition): LayoutTests: * TestExpectations: - Undoing expectation for js/primitive-property-access-edge-cases.html now that the bug is fixed. Canonical link: https://commits.webkit.org/151668@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@169758 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 10, 2014 · 17d9a4c · 17d9a4c
1 parent 33b06a0
commit 17d9a4c
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 4 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2014-06-10  Mark Lam  <mark.lam@apple.com>
+
+        Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
+        <https://webkit.org/b/133356>
+
+        Reviewed by Mark Hahnenberg.
+
+        * TestExpectations:
+        - Undoing expectation for js/primitive-property-access-edge-cases.html now
+          that the bug is fixed.
+
 2014-06-10  Alexey Proskuryakov  <ap@apple.com>
 
         platform/mac-wk2/plugins/destroy-during-async-npp-new.html is flaky

diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations
@@ -127,6 +127,4 @@ webkit.org/b/132791 svg/as-object/sizing/svg-in-object-placeholder-height-fixed.
 webkit.org/b/132791 svg/as-object/sizing/svg-in-object-placeholder-height-percentage.html [ Skip ]
 webkit.org/b/132791 svg/as-object/sizing/svg-in-object-placeholder-height-auto.html [ Skip ]
 
-webkit.org/b/133356 js/primitive-property-access-edge-cases.html [ Pass Crash ]
-
 webkit.org/b/133057 fast/table/border-collapsing/collapsed-borders-adjoining-sections.html [ ImageOnlyFailure ]
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,25 @@
+2014-06-10  Mark Lam  <mark.lam@apple.com>
+
+        Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
+        <https://webkit.org/b/133356>
+
+        Reviewed by Mark Hahnenberg.
+
+        The root cause of this issue is that a nonPropertyTransition can transition
+        a pinned dictionary structure to an unpinned dictionary structure.  The new
+        structure will get a copy of the property table from the original structure.
+        However, when a GC occurs, the property table in the new structure will be
+        cleared because it is unpinned.  This leads to complications in subsequent
+        derivative structures when flattening occurs, which eventually leads to the
+        assertion failure in this bug.
+
+        The fix is to ensure that the new dictionary structure generated by the
+        nonPropertyTransition will have a copy of its predecessor's property table
+        and is pinned.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::nonPropertyTransition):
+
 2014-06-10  Michael Saboff  <msaboff@apple.com>
 
         In a certain app state, Array.prototype.filter() returns incorrect results

diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
@@ -654,7 +654,8 @@ Structure* Structure::nonPropertyTransition(VM& vm, Structure* structure, NonPro
         }
     }
 
-    if (Structure* existingTransition = structure->m_transitionTable.get(0, attributes)) {
+    Structure* existingTransition;
+    if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes))) {
         ASSERT(existingTransition->m_attributesInPrevious == attributes);
         ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingType);
         return existingTransition;
@@ -667,7 +668,9 @@ Structure* Structure::nonPropertyTransition(VM& vm, Structure* structure, NonPro
     transition->m_offset = structure->m_offset;
     checkOffset(transition->m_offset, transition->inlineCapacity());
 
-    {
+    if (structure->isDictionary())
+        transition->pin();
+    else {
         ConcurrentJITLocker locker(structure->m_lock);
         structure->m_transitionTable.add(vm, transition);
     }