-
oliver@apple.com authored
Reviewed by Geoffrey Garen. Crash in CollectorBitmap::get at nbcolympics.com https://bugs.webkit.org/show_bug.cgi?id=34504 This was caused by the use of m_offset to determine the offset of a new property into the property storage. This patch corrects the effected cases by incorporating the anonymous slot count. It also removes the duplicate copy of anonymous slot count from the property table as keeping this up to date merely increased the chance of a mismatch. Finally I've added a large number of assertions in an attempt to prevent such a bug from happening again. With the new assertions in place the existing anonymous slot tests all fail without the m_offset fixes. * runtime/PropertyMapHashTable.h: * runtime/Structure.cpp: (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::copyPropertyTable): (JSC::Structure::get): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable): (JSC::Structure::rehashPropertyMapHashTable): (JSC::Structure::checkConsistency): git-svn-id: svn://svn.chromium.org/blink/trunk@54265 bbb929c8-8fbe-4397-9dbb-9b2b202185386ff61de8
