[webkit-reviews] review granted: [Bug 131551] Deleting properties poisons objects : [Attachment 229144] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 11 11:50:07 PDT 2014


Geoffrey Garen <ggaren at apple.com> has granted Mark Hahnenberg
<mhahnenberg at apple.com>'s request for review:
Bug 131551: Deleting properties poisons objects
https://bugs.webkit.org/show_bug.cgi?id=131551

Attachment 229144: Patch
https://bugs.webkit.org/attachment.cgi?id=229144&action=review

------- Additional Comments from Geoffrey Garen <ggaren at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=229144&action=review


r=me

> Source/JavaScriptCore/runtime/Structure.cpp:472
> +    if (structure->m_forgivenDeletes < s_maxForgivenDeletes) {
> +	   Structure* transition = create(vm, structure);

Another interesting way to forgive a delete would be to notice that you were
deleting the last property added, and tradition backward. I believe we already
have all the information needed to do that, since each Structure points to its
previous, and holds the string that it added to the set of strings in the
property table (m_nameInPrevious). You would also need to verify that going
backward did not violate other invariants. For example, if going forward grew
your backing store, it might not be valid to go backward anymore.


More information about the webkit-reviews mailing list