Merge r243069 - Structure::flattenDictionary() should clear unused pr…

…operty slots. https://bugs.webkit.org/show_bug.cgi?id=195871 <rdar://problem/48959497> Reviewed by Michael Saboff. JSTests: * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added. Source/JavaScriptCore: It currently attempts to do this but fails because it's actually clearing up the preCapacity region instead. The fix is simply to account for the preCapacity when computing the start address of the property slots. * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure):
WebKit · Apr 8, 2019 · 3eba690 · 3eba690
1 parent 7f1db1b
commit 3eba690
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 5 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
+
 2019-03-12  Mark Lam  <mark.lam@apple.com>
 
         The HasIndexedProperty node does GC.

diff --git a/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js b/JSTests/stress/structure-flattenDictionary-should-clear-unused-property-slots.js
@@ -0,0 +1,11 @@
+// This test should not crash.
+
+var arr = [];
+arr.x = 0;
+arr.y = 0;
+delete arr["x"];
+
+for (var i = 0; i < 2; ++i)
+    arr.unshift(i);
+
+arr.z = 42;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2019-03-18  Mark Lam  <mark.lam@apple.com>
+
+        Structure::flattenDictionary() should clear unused property slots.
+        https://bugs.webkit.org/show_bug.cgi?id=195871
+        <rdar://problem/48959497>
+
+        Reviewed by Michael Saboff.
+
+        It currently attempts to do this but fails because it's actually clearing up the
+        preCapacity region instead.  The fix is simply to account for the preCapacity
+        when computing the start address of the property slots.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
 2019-04-08  Xan Lopez  <xan@igalia.com>
 
         [CMake] Detect SSE2 at compile time

diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -778,10 +778,10 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
             (inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
 
         Butterfly* butterfly = object->butterfly();
-        memset(
-            butterfly->base(butterfly->indexingHeader()->preCapacity(this), beforeOutOfLineCapacity),
-            0,
-            (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+        size_t preCapacity = butterfly->indexingHeader()->preCapacity(this);
+        void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
+        void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
+        memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
     }