Title: [139482] trunk/Source/_javascript_Core
- Revision
- 139482
- Author
- [email protected]
- Date
- 2013-01-11 12:20:25 -0800 (Fri, 11 Jan 2013)
Log Message
Fixed some bogus PropertyOffset ASSERTs
https://bugs.webkit.org/show_bug.cgi?id=106686
Reviewed by Gavin Barraclough.
The ASSERTs were passing a JSType instead of an inlineCapacity, due to
an incomplete refactoring.
The compiler didn't catch this because both types are int underneath.
* runtime/JSObject.h:
(JSC::JSObject::getDirect):
(JSC::JSObject::getDirectLocation):
(JSC::JSObject::offsetForLocation):
* runtime/Structure.cpp:
(JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
our inline capacity, as we intended.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (139481 => 139482)
--- trunk/Source/_javascript_Core/ChangeLog 2013-01-11 20:13:21 UTC (rev 139481)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-01-11 20:20:25 UTC (rev 139482)
@@ -1,5 +1,25 @@
2013-01-11 Geoffrey Garen <[email protected]>
+ Fixed some bogus PropertyOffset ASSERTs
+ https://bugs.webkit.org/show_bug.cgi?id=106686
+
+ Reviewed by Gavin Barraclough.
+
+ The ASSERTs were passing a JSType instead of an inlineCapacity, due to
+ an incomplete refactoring.
+
+ The compiler didn't catch this because both types are int underneath.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::getDirect):
+ (JSC::JSObject::getDirectLocation):
+ (JSC::JSObject::offsetForLocation):
+ * runtime/Structure.cpp:
+ (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
+ our inline capacity, as we intended.
+
+2013-01-11 Geoffrey Garen <[email protected]>
+
Rename propertyOffsetFor => offsetForPropertyNumber
https://bugs.webkit.org/show_bug.cgi?id=106685
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (139481 => 139482)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2013-01-11 20:13:21 UTC (rev 139481)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2013-01-11 20:20:25 UTC (rev 139482)
@@ -504,14 +504,14 @@
JSValue getDirect(JSGlobalData& globalData, PropertyName propertyName) const
{
PropertyOffset offset = structure()->get(globalData, propertyName);
- checkOffset(offset, structure()->typeInfo().type());
+ checkOffset(offset, structure()->inlineCapacity());
return offset != invalidOffset ? getDirectOffset(offset) : JSValue();
}
WriteBarrierBase<Unknown>* getDirectLocation(JSGlobalData& globalData, PropertyName propertyName)
{
PropertyOffset offset = structure()->get(globalData, propertyName);
- checkOffset(offset, structure()->typeInfo().type());
+ checkOffset(offset, structure()->inlineCapacity());
return isValidOffset(offset) ? locationForOffset(offset) : 0;
}
@@ -570,7 +570,7 @@
result = offsetInInlineStorage;
else
result = outOfLineStorage() - location + (firstOutOfLineOffset - 1);
- validateOffset(result, structure()->typeInfo().type());
+ validateOffset(result, structure()->inlineCapacity());
return result;
}
Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (139481 => 139482)
--- trunk/Source/_javascript_Core/runtime/Structure.cpp 2013-01-11 20:13:21 UTC (rev 139481)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp 2013-01-11 20:20:25 UTC (rev 139482)
@@ -304,7 +304,7 @@
JSCell* specificValueInPrevious = existingTransition->m_specificValueInPrevious.get();
if (specificValueInPrevious && specificValueInPrevious != specificValue)
return 0;
- validateOffset(existingTransition->m_offset, structure->m_typeInfo.type());
+ validateOffset(existingTransition->m_offset, existingTransition->inlineCapacity());
offset = existingTransition->m_offset;
return existingTransition;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
