2010-02-02 Oliver Hunt <oliver@apple.com>

Reviewed by Geoffrey Garen. Crash in CollectorBitmap::get at nbcolympics.com https://bugs.webkit.org/show_bug.cgi?id=34504 This was caused by the use of m_offset to determine the offset of a new property into the property storage. This patch corrects the effected cases by incorporating the anonymous slot count. It also removes the duplicate copy of anonymous slot count from the property table as keeping this up to date merely increased the chance of a mismatch. Finally I've added a large number of assertions in an attempt to prevent such a bug from happening again. With the new assertions in place the existing anonymous slot tests all fail without the m_offset fixes. * runtime/PropertyMapHashTable.h: * runtime/Structure.cpp: (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::copyPropertyTable): (JSC::Structure::get): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable): (JSC::Structure::rehashPropertyMapHashTable): (JSC::Structure::checkConsistency): git-svn-id: svn://svn.chromium.org/blink/trunk@54265 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2010-02-02 Oliver Hunt <oliver@apple.com>
Reviewed by Geoffrey Garen. Crash in CollectorBitmap::get at nbcolympics.com https://bugs.webkit.org/show_bug.cgi?id=34504 This was caused by the use of m_offset to determine the offset of a new property into the property storage. This patch corrects the effected cases by incorporating the anonymous slot count. It also removes the duplicate copy of anonymous slot count from the property table as keeping this up to date merely increased the chance of a mismatch. Finally I've added a large number of assertions in an attempt to prevent such a bug from happening again. With the new assertions in place the existing anonymous slot tests all fail without the m_offset fixes. * runtime/PropertyMapHashTable.h: * runtime/Structure.cpp: (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::copyPropertyTable): (JSC::Structure::get): (JSC::Structure::put): (JSC::Structure::remove): (JSC::Structure::insertIntoPropertyMapHashTable): (JSC::Structure::createPropertyMapHashTable): (JSC::Structure::rehashPropertyMapHashTable): (JSC::Structure::checkConsistency): git-svn-id: svn://svn.chromium.org/blink/trunk@54265 bbb929c8-8fbe-4397-9dbb-9b2b20218538
6ff61de8 · oliver@apple.com · 04fdf4f1 · 6ff61de8 · 6ff61de8 · 6ff61de8
Commit 6ff61de8 authored Feb 03, 2010 by oliver@apple.com
4 changed files
--- a/third_party/WebKit/JavaScriptCore/ChangeLog
+++ b/third_party/WebKit/JavaScriptCore/ChangeLog
+2010-02-02  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Crash in CollectorBitmap::get at nbcolympics.com
+        https://bugs.webkit.org/show_bug.cgi?id=34504
+
+        This was caused by the use of m_offset to determine the offset of
+        a new property into the property storage.  This patch corrects
+        the effected cases by incorporating the anonymous slot count. It
+        also removes the duplicate copy of anonymous slot count from the
+        property table as keeping this up to date merely increased the
+        chance of a mismatch.  Finally I've added a large number of
+        assertions in an attempt to prevent such a bug from happening
+        again.
+
+        With the new assertions in place the existing anonymous slot tests
+        all fail without the m_offset fixes.
+
+        * runtime/PropertyMapHashTable.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::materializePropertyMap):
+        (JSC::Structure::addPropertyTransitionToExistingStructure):
+        (JSC::Structure::addPropertyTransition):
+        (JSC::Structure::removePropertyTransition):
+        (JSC::Structure::flattenDictionaryStructure):
+        (JSC::Structure::addPropertyWithoutTransition):
+        (JSC::Structure::removePropertyWithoutTransition):
+        (JSC::Structure::copyPropertyTable):
+        (JSC::Structure::get):
+        (JSC::Structure::put):
+        (JSC::Structure::remove):
+        (JSC::Structure::insertIntoPropertyMapHashTable):
+        (JSC::Structure::createPropertyMapHashTable):
+        (JSC::Structure::rehashPropertyMapHashTable):
+        (JSC::Structure::checkConsistency):
+
 2010-02-02  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Darin Adler.

--- a/third_party/WebKit/JavaScriptCore/runtime/PropertyMapHashTable.h
+++ b/third_party/WebKit/JavaScriptCore/runtime/PropertyMapHashTable.h
@@ -61,7 +61,6 @@ namespace JSC {
        unsigned size;
        unsigned keyCount;
        unsigned deletedSentinelCount;
-        unsigned anonymousSlotCount;
        unsigned lastIndexUsed;
        Vector<unsigned>* deletedOffsets;
        unsigned entryIndices[1];

--- a/third_party/WebKit/JavaScriptCore/runtime/Structure.cpp
+++ b/third_party/WebKit/JavaScriptCore/runtime/Structure.cpp
--- a/third_party/WebKit/JavaScriptCore/runtime/Structure.h
+++ b/third_party/WebKit/JavaScriptCore/runtime/Structure.h
@@ -204,6 +204,8 @@ namespace JSC {
        PropertyMapHashTable* m_propertyTable;

        uint32_t m_propertyStorageCapacity;
+
+        // m_offset does not account for anonymous slots
        signed char m_offset;

        unsigned m_dictionaryKind : 2;