<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[169758] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/169758">169758</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2014-06-10 13:29:29 -0700 (Tue, 10 Jun 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
<https://webkit.org/b/133356>
Reviewed by Mark Hahnenberg.
Source/JavaScriptCore:
The root cause of this issue is that a nonPropertyTransition can transition
a pinned dictionary structure to an unpinned dictionary structure. The new
structure will get a copy of the property table from the original structure.
However, when a GC occurs, the property table in the new structure will be
cleared because it is unpinned. This leads to complications in subsequent
derivative structures when flattening occurs, which eventually leads to the
assertion failure in this bug.
The fix is to ensure that the new dictionary structure generated by the
nonPropertyTransition will have a copy of its predecessor's property table
and is pinned.
* runtime/Structure.cpp:
(JSC::Structure::nonPropertyTransition):
LayoutTests:
* TestExpectations:
- Undoing expectation for js/primitive-property-access-edge-cases.html now
that the bug is fixed.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructurecpp">trunk/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (169757 => 169758)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-06-10 20:00:14 UTC (rev 169757)
+++ trunk/LayoutTests/ChangeLog 2014-06-10 20:29:29 UTC (rev 169758)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2014-06-10 Mark Lam <mark.lam@apple.com>
+
+ Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
+ <https://webkit.org/b/133356>
+
+ Reviewed by Mark Hahnenberg.
+
+ * TestExpectations:
+ - Undoing expectation for js/primitive-property-access-edge-cases.html now
+ that the bug is fixed.
+
</ins><span class="cx"> 2014-06-10 Alexey Proskuryakov <ap@apple.com>
</span><span class="cx">
</span><span class="cx"> platform/mac-wk2/plugins/destroy-during-async-npp-new.html is flaky
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (169757 => 169758)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2014-06-10 20:00:14 UTC (rev 169757)
+++ trunk/LayoutTests/TestExpectations 2014-06-10 20:29:29 UTC (rev 169758)
</span><span class="lines">@@ -127,6 +127,4 @@
</span><span class="cx"> webkit.org/b/132791 svg/as-object/sizing/svg-in-object-placeholder-height-percentage.html [ Skip ]
</span><span class="cx"> webkit.org/b/132791 svg/as-object/sizing/svg-in-object-placeholder-height-auto.html [ Skip ]
</span><span class="cx">
</span><del>-webkit.org/b/133356 js/primitive-property-access-edge-cases.html [ Pass Crash ]
-
</del><span class="cx"> webkit.org/b/133057 fast/table/border-collapsing/collapsed-borders-adjoining-sections.html [ ImageOnlyFailure ]
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (169757 => 169758)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-06-10 20:00:14 UTC (rev 169757)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-06-10 20:29:29 UTC (rev 169758)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2014-06-10 Mark Lam <mark.lam@apple.com>
+
+ Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
+ <https://webkit.org/b/133356>
+
+ Reviewed by Mark Hahnenberg.
+
+ The root cause of this issue is that a nonPropertyTransition can transition
+ a pinned dictionary structure to an unpinned dictionary structure. The new
+ structure will get a copy of the property table from the original structure.
+ However, when a GC occurs, the property table in the new structure will be
+ cleared because it is unpinned. This leads to complications in subsequent
+ derivative structures when flattening occurs, which eventually leads to the
+ assertion failure in this bug.
+
+ The fix is to ensure that the new dictionary structure generated by the
+ nonPropertyTransition will have a copy of its predecessor's property table
+ and is pinned.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::nonPropertyTransition):
+
</ins><span class="cx"> 2014-06-10 Michael Saboff <msaboff@apple.com>
</span><span class="cx">
</span><span class="cx"> In a certain app state, Array.prototype.filter() returns incorrect results
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.cpp (169757 => 169758)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.cpp 2014-06-10 20:00:14 UTC (rev 169757)
+++ trunk/Source/JavaScriptCore/runtime/Structure.cpp 2014-06-10 20:29:29 UTC (rev 169758)
</span><span class="lines">@@ -654,7 +654,8 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (Structure* existingTransition = structure->m_transitionTable.get(0, attributes)) {
</del><ins>+ Structure* existingTransition;
+ if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes))) {
</ins><span class="cx"> ASSERT(existingTransition->m_attributesInPrevious == attributes);
</span><span class="cx"> ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingType);
</span><span class="cx"> return existingTransition;
</span><span class="lines">@@ -667,7 +668,9 @@
</span><span class="cx"> transition->m_offset = structure->m_offset;
</span><span class="cx"> checkOffset(transition->m_offset, transition->inlineCapacity());
</span><span class="cx">
</span><del>- {
</del><ins>+ if (structure->isDictionary())
+ transition->pin();
+ else {
</ins><span class="cx"> ConcurrentJITLocker locker(structure->m_lock);
</span><span class="cx"> structure->m_transitionTable.add(vm, transition);
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>