[webkit-reviews] review granted: [Bug 131551] Deleting properties poisons objects : [Attachment 229144] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 11 11:50:07 PDT 2014
Geoffrey Garen <ggaren at apple.com> has granted Mark Hahnenberg
<mhahnenberg at apple.com>'s request for review:
Bug 131551: Deleting properties poisons objects
https://bugs.webkit.org/show_bug.cgi?id=131551
Attachment 229144: Patch
https://bugs.webkit.org/attachment.cgi?id=229144&action=review
------- Additional Comments from Geoffrey Garen <ggaren at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=229144&action=review
r=me
> Source/JavaScriptCore/runtime/Structure.cpp:472
> + if (structure->m_forgivenDeletes < s_maxForgivenDeletes) {
> + Structure* transition = create(vm, structure);
Another interesting way to forgive a delete would be to notice that you were
deleting the last property added, and tradition backward. I believe we already
have all the information needed to do that, since each Structure points to its
previous, and holds the string that it added to the set of strings in the
property table (m_nameInPrevious). You would also need to verify that going
backward did not violate other invariants. For example, if going forward grew
your backing store, it might not be valid to go backward anymore.
More information about the webkit-reviews
mailing list