-
oliver@apple.com authored
Reviewed by Maciej Stachowiak. JSC is failing to propagate anonymous slot count on some transitions https://bugs.webkit.org/show_bug.cgi?id=34321 Remove secondary Structure constructor, and make Structure store a copy of the number of anonymous slots directly so saving an immediate allocation of a property map for all structures with anonymous storage, which also avoids the leaked property map on new property transition in the original version of this patch. We need to propagate the the anonymous slot count otherwise we can end up with a structure recording incorrect information about the available and needed space for property storage, or alternatively incorrectly reusing some slots. * JavaScriptCore.exp: * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransition): (JSC::Structure::changePrototypeTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::getterSetterTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::copyPropertyTable): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable): * runtime/Structure.h: (JSC::Structure::create): (JSC::Structure::hasAnonymousSlots): (JSC::Structure::anonymousSlotCount): 2010-02-01 Oliver Hunt <oliver@apple.com> Reviewed by Maciej Stachowiak. JSC is failing to propagate anonymous slot count on some transitions https://bugs.webkit.org/show_bug.cgi?id=34321 Add test case for modifying DOM objects with anonymous storage. * fast/dom/Window/anonymous-slot-with-changes-expected.txt: Added. * fast/dom/Window/anonymous-slot-with-changes.html: Added. git-svn-id: svn://svn.chromium.org/blink/trunk@54129 bbb929c8-8fbe-4397-9dbb-9b2b2021853867192765
