<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184452] releases/WebKitGTK/webkit-2.4</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184452">184452</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-05-18 03:14:40 -0700 (Mon, 18 May 2015)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/175243">r175243</a> - Crash when attempting to perform array iteration on a non-array with numeric keys not initialized.
&lt;https://webkit.org/b/137814&gt;

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

The arrayIteratorNextThunkGenerator() thunk was not checking for the case where
the butterfly may be NULL.  This was the source of the crash, and is now fixed.

In addition, it is also not checking for the case where a property named &quot;length&quot;
may have been set on the iterated object.  The thunk only checks the butterfly's
publicLength for its iteration operation.  Array objects will work fine with this
because it always updates its butterfly's publicLength when its length changes.
In the case of iterable non-Array objects, the &quot;length&quot; property will require a
look up outside of the scope of this thunk.  The fix is simply to limit the fast
case checks in this thunk to Array objects.

* jit/ThunkGenerators.cpp:
(JSC::arrayIteratorNextThunkGenerator):

LayoutTests:

* js/array-length-shortening-expected.txt: Added.
* js/array-length-shortening.html: Added.
* js/for-of-crash-expected.txt: Added.
* js/for-of-crash.html: Added.
* js/script-tests/array-length-shortening.js: Added.
(testLengthShortening):
(denseInt32Elements):
(denseDoubleElements):
(denseObjectElements):
(holeyInt32Elements):
(holeyDoubleElements):
(holeyObjectElements):
(arrayStorageInt32Elements):
(arrayStorageDoubleElements):
(arrayStorageObjectElements):
(sparseInt32Elements):
(sparseDoubleElements):
(sparseObjectElements):
* js/script-tests/for-of-crash.js: Added.
(foo):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit24SourceJavaScriptCorejitThunkGeneratorscpp">releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/jit/ThunkGenerators.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsjsarraylengthshorteningexpectedtxt">releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsjsarraylengthshorteninghtml">releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening.html</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsjsforofcrashexpectedtxt">releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsjsforofcrashhtml">releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash.html</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsjsscripttestsarraylengthshorteningjs">releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/array-length-shortening.js</a></li>
<li><a href="#releasesWebKitGTKwebkit24LayoutTestsjsscripttestsforofcrashjs">releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/for-of-crash.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit24LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (184451 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog        2015-05-18 10:04:34 UTC (rev 184451)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -1,3 +1,31 @@
</span><ins>+2014-10-27  Mark Lam  &lt;mark.lam@apple.com&gt;
+
+        Crash when attempting to perform array iteration on a non-array with numeric keys not initialized.
+        &lt;https://webkit.org/b/137814&gt;
+
+        Reviewed by Geoffrey Garen.
+
+        * js/array-length-shortening-expected.txt: Added.
+        * js/array-length-shortening.html: Added.
+        * js/for-of-crash-expected.txt: Added.
+        * js/for-of-crash.html: Added.
+        * js/script-tests/array-length-shortening.js: Added.
+        (testLengthShortening):
+        (denseInt32Elements):
+        (denseDoubleElements):
+        (denseObjectElements):
+        (holeyInt32Elements):
+        (holeyDoubleElements):
+        (holeyObjectElements):
+        (arrayStorageInt32Elements):
+        (arrayStorageDoubleElements):
+        (arrayStorageObjectElements):
+        (sparseInt32Elements):
+        (sparseDoubleElements):
+        (sparseObjectElements):
+        * js/script-tests/for-of-crash.js: Added.
+        (foo):
+
</ins><span class="cx"> 2014-10-22  Byungseon Shin  &lt;sun.shin@lge.com&gt;
</span><span class="cx"> 
</span><span class="cx">         String(new Date(Mar 30 2014 01:00:00)) is wrong in CET
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsjsarraylengthshorteningexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening-expected.txt (0 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening-expected.txt                                (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening-expected.txt        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -0,0 +1,33 @@
</span><ins>+Tests array length shortening.
+
+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.
+
+
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS count is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsjsarraylengthshorteninghtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening.html (0 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening.html                                (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/js/array-length-shortening.html        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML//EN&quot;&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script src=&quot;../resources/js-test-pre.js&quot;&gt;&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;script src=&quot;script-tests/array-length-shortening.js&quot;&gt;&lt;/script&gt;
+&lt;script src=&quot;../resources/js-test-post.js&quot;&gt;&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsjsforofcrashexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash-expected.txt (0 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash-expected.txt                                (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash-expected.txt        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+Tests that for-of iteration does not crashes.
+
+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsjsforofcrashhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash.html (0 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash.html                                (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/js/for-of-crash.html        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML//EN&quot;&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script src=&quot;../resources/js-test-pre.js&quot;&gt;&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;script src=&quot;script-tests/for-of-crash.js&quot;&gt;&lt;/script&gt;
+&lt;script src=&quot;../resources/js-test-post.js&quot;&gt;&lt;/script&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsjsscripttestsarraylengthshorteningjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/array-length-shortening.js (0 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/array-length-shortening.js                                (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/array-length-shortening.js        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -0,0 +1,126 @@
</span><ins>+description(
+&quot;Tests array length shortening.&quot;
+);
+
+var count;
+
+function testLengthShortening(array) {
+    array.length = 1;
+    count = 0;
+    for (var x of array) {
+        count++;
+    }
+
+    shouldBe(&quot;count&quot;, &quot;1&quot;);
+}
+
+var arr;
+
+// Test Objects with densely packed indexed properties:
+function denseInt32Elements(arr) {
+    arr[0] = 1;
+    arr[1] = 2;
+    return arr;
+}
+testLengthShortening(denseInt32Elements(Object.create(Array.prototype)));
+testLengthShortening(denseInt32Elements([]));
+
+function denseDoubleElements(arr) {
+    arr[0] = 1.5;
+    arr[1] = 2.5;
+    return arr;
+}
+testLengthShortening(denseDoubleElements(Object.create(Array.prototype)));
+testLengthShortening(denseDoubleElements([]));
+
+function denseObjectElements(arr) {
+    arr[0] = {};
+    arr[1] = {};
+    return arr;
+}
+testLengthShortening(denseObjectElements(Object.create(Array.prototype)));
+testLengthShortening(denseObjectElements([]));
+
+// Test Objects with hole-y indexed properties:
+function holeyInt32Elements(arr) {
+    arr[0] = 1;
+    arr[1] = 2;
+    arr[4] = 4;
+    return arr;
+}
+testLengthShortening(holeyInt32Elements(Object.create(Array.prototype)));
+testLengthShortening(holeyInt32Elements([]));
+
+function holeyDoubleElements(arr) {
+    arr[0] = 1.5;
+    arr[1] = 2.5;
+    arr[4] = 4.5;
+    return arr;
+}
+testLengthShortening(holeyDoubleElements(Object.create(Array.prototype)));
+testLengthShortening(holeyDoubleElements([]));
+
+function holeyObjectElements(arr) {
+    arr[0] = {};
+    arr[1] = {};
+    arr[4] = {};
+    return arr;
+}
+testLengthShortening(holeyObjectElements(Object.create(Array.prototype)));
+testLengthShortening(holeyObjectElements([]));
+
+// Test Objects with ArrayStorage indexed properties:
+function arrayStorageInt32Elements(arr) {
+    arr[0] = 1;
+    arr[1] = 2;
+    arr.unshift(100); // Force conversion to using ArrayStorage.
+    return arr;
+}
+testLengthShortening(arrayStorageInt32Elements(Object.create(Array.prototype)));
+testLengthShortening(arrayStorageInt32Elements([]));
+
+function arrayStorageDoubleElements(arr) {
+    arr[0] = 1.5;
+    arr[1] = 2.5;
+    arr.unshift(100.5); // Force conversion to using ArrayStorage.
+    return arr;
+}
+testLengthShortening(arrayStorageDoubleElements(Object.create(Array.prototype)));
+testLengthShortening(arrayStorageDoubleElements([]));
+
+function arrayStorageObjectElements(arr) {
+    arr[0] = {};
+    arr[1] = {};
+    arr.unshift({}); // Force conversion to using ArrayStorage.
+    return arr;
+}
+testLengthShortening(arrayStorageObjectElements(Object.create(Array.prototype)));
+testLengthShortening(arrayStorageObjectElements([]));
+
+// Test Objects with sparse indexed properties:
+function sparseInt32Elements(arr) {
+    arr[0] = 1;
+    arr[1] = 2;
+    arr[100000] = 100;
+    return arr;
+}
+testLengthShortening(sparseInt32Elements(Object.create(Array.prototype)));
+testLengthShortening(sparseInt32Elements([]));
+
+function sparseDoubleElements(arr) {
+    arr[0] = 1.5;
+    arr[1] = 2.5;
+    arr[100000] = 100.5;
+    return arr;
+}
+testLengthShortening(sparseDoubleElements(Object.create(Array.prototype)));
+testLengthShortening(sparseDoubleElements([]));
+
+function sparseObjectElements(arr) {
+    arr[0] = {};
+    arr[1] = {};
+    arr[100000] = {};
+    return arr;
+}
+testLengthShortening(sparseObjectElements(Object.create(Array.prototype)));
+testLengthShortening(sparseObjectElements([]));
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24LayoutTestsjsscripttestsforofcrashjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/for-of-crash.js (0 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/for-of-crash.js                                (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/js/script-tests/for-of-crash.js        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+description(
+&quot;Tests that for-of iteration does not crashes.&quot;
+);
+
+function foo() {
+    var o = Object.create(Array.prototype);
+    for (var x of o) {
+    }
+}
+foo();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/ChangeLog (184451 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/ChangeLog        2015-05-18 10:04:34 UTC (rev 184451)
+++ releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/ChangeLog        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2014-10-27  Mark Lam  &lt;mark.lam@apple.com&gt;
+
+        Crash when attempting to perform array iteration on a non-array with numeric keys not initialized.
+        &lt;https://webkit.org/b/137814&gt;
+
+        Reviewed by Geoffrey Garen.
+
+        The arrayIteratorNextThunkGenerator() thunk was not checking for the case where
+        the butterfly may be NULL.  This was the source of the crash, and is now fixed.
+
+        In addition, it is also not checking for the case where a property named &quot;length&quot;
+        may have been set on the iterated object.  The thunk only checks the butterfly's
+        publicLength for its iteration operation.  Array objects will work fine with this
+        because it always updates its butterfly's publicLength when its length changes.
+        In the case of iterable non-Array objects, the &quot;length&quot; property will require a
+        look up outside of the scope of this thunk.  The fix is simply to limit the fast
+        case checks in this thunk to Array objects.
+
+        * jit/ThunkGenerators.cpp:
+        (JSC::arrayIteratorNextThunkGenerator):
+
</ins><span class="cx"> 2014-10-22  Byungseon Shin  &lt;sun.shin@lge.com&gt;
</span><span class="cx"> 
</span><span class="cx">         String(new Date(Mar 30 2014 01:00:00)) is wrong in CET
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit24SourceJavaScriptCorejitThunkGeneratorscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/jit/ThunkGenerators.cpp (184451 => 184452)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/jit/ThunkGenerators.cpp        2015-05-18 10:04:34 UTC (rev 184451)
+++ releases/WebKitGTK/webkit-2.4/Source/JavaScriptCore/jit/ThunkGenerators.cpp        2015-05-18 10:14:40 UTC (rev 184452)
</span><span class="lines">@@ -972,10 +972,12 @@
</span><span class="cx">     
</span><span class="cx">     jit.load8(Address(SpecializedThunkJIT::regT2, Structure::indexingTypeOffset()), SpecializedThunkJIT::regT3);
</span><span class="cx">     jit.loadPtr(Address(SpecializedThunkJIT::regT0, JSObject::butterflyOffset()), SpecializedThunkJIT::regT2);
</span><ins>+    Jump nullButterfly = jit.branchTestPtr(SpecializedThunkJIT::Zero, SpecializedThunkJIT::regT2);
</ins><span class="cx">     
</span><del>-    jit.and32(TrustedImm32(IndexingShapeMask), SpecializedThunkJIT::regT3);
</del><ins>+    Jump notDone = jit.branch32(SpecializedThunkJIT::Below, SpecializedThunkJIT::regT1, Address(SpecializedThunkJIT::regT2, Butterfly::offsetOfPublicLength()));
</ins><span class="cx"> 
</span><del>-    Jump notDone = jit.branch32(SpecializedThunkJIT::Below, SpecializedThunkJIT::regT1, Address(SpecializedThunkJIT::regT2, Butterfly::offsetOfPublicLength()));
</del><ins>+    nullButterfly.link(&amp;jit);
+
</ins><span class="cx">     // Return the termination signal to indicate that we've finished
</span><span class="cx">     jit.move(TrustedImmPtr(vm-&gt;iterationTerminator.get()), SpecializedThunkJIT::regT0);
</span><span class="cx">     jit.returnJSCell(SpecializedThunkJIT::regT0);
</span><span class="lines">@@ -994,8 +996,8 @@
</span><span class="cx">     jit.appendFailure(jit.branch32(SpecializedThunkJIT::AboveOrEqual, SpecializedThunkJIT::regT1, Address(SpecializedThunkJIT::regT2, Butterfly::offsetOfVectorLength())));
</span><span class="cx">     
</span><span class="cx">     // So now we perform inline loads for int32, value/undecided, and double storage
</span><del>-    Jump undecidedStorage = jit.branch32(SpecializedThunkJIT::Equal, SpecializedThunkJIT::regT3, TrustedImm32(UndecidedShape));
-    Jump notContiguousStorage = jit.branch32(SpecializedThunkJIT::NotEqual, SpecializedThunkJIT::regT3, TrustedImm32(ContiguousShape));
</del><ins>+    Jump undecidedStorage = jit.branch32(SpecializedThunkJIT::Equal, SpecializedThunkJIT::regT3, TrustedImm32(ArrayWithUndecided));
+    Jump notContiguousStorage = jit.branch32(SpecializedThunkJIT::NotEqual, SpecializedThunkJIT::regT3, TrustedImm32(ArrayWithContiguous));
</ins><span class="cx">     
</span><span class="cx">     undecidedStorage.link(&amp;jit);
</span><span class="cx">     
</span><span class="lines">@@ -1023,14 +1025,14 @@
</span><span class="cx"> #endif
</span><span class="cx">     notContiguousStorage.link(&amp;jit);
</span><span class="cx">     
</span><del>-    Jump notInt32Storage = jit.branch32(SpecializedThunkJIT::NotEqual, SpecializedThunkJIT::regT3, TrustedImm32(Int32Shape));
</del><ins>+    Jump notInt32Storage = jit.branch32(SpecializedThunkJIT::NotEqual, SpecializedThunkJIT::regT3, TrustedImm32(ArrayWithInt32));
</ins><span class="cx">     jit.loadPtr(Address(SpecializedThunkJIT::regT0, JSObject::butterflyOffset()), SpecializedThunkJIT::regT2);
</span><span class="cx">     jit.load32(BaseIndex(SpecializedThunkJIT::regT2, SpecializedThunkJIT::regT1, SpecializedThunkJIT::TimesEight, JSValue::offsetOfPayload()), SpecializedThunkJIT::regT0);
</span><span class="cx">     jit.add32(TrustedImm32(1), Address(SpecializedThunkJIT::regT4, JSArrayIterator::offsetOfNextIndex()));
</span><span class="cx">     jit.returnInt32(SpecializedThunkJIT::regT0);
</span><span class="cx">     notInt32Storage.link(&amp;jit);
</span><span class="cx">     
</span><del>-    jit.appendFailure(jit.branch32(SpecializedThunkJIT::NotEqual, SpecializedThunkJIT::regT3, TrustedImm32(DoubleShape)));
</del><ins>+    jit.appendFailure(jit.branch32(SpecializedThunkJIT::NotEqual, SpecializedThunkJIT::regT3, TrustedImm32(ArrayWithDouble)));
</ins><span class="cx">     jit.loadPtr(Address(SpecializedThunkJIT::regT0, JSObject::butterflyOffset()), SpecializedThunkJIT::regT2);
</span><span class="cx">     jit.loadDouble(BaseIndex(SpecializedThunkJIT::regT2, SpecializedThunkJIT::regT1, SpecializedThunkJIT::TimesEight), SpecializedThunkJIT::fpRegT0);
</span><span class="cx">     jit.add32(TrustedImm32(1), Address(SpecializedThunkJIT::regT4, JSArrayIterator::offsetOfNextIndex()));
</span></span></pre>
</div>
</div>

</body>
</html>