[Webkit-unassigned] [Bug 188151] New: We should only assert a slot for putting a new property is empty if it is from a newly allocated butterfly.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jul 29 15:45:44 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=188151
Bug ID: 188151
Summary: We should only assert a slot for putting a new
property is empty if it is from a newly allocated
butterfly.
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
When putting a new property, JSObject::prepareToPutDirectWithoutTransition() and JSObject::putDirectInternal() currently always asserts that the target slot contains an effectively empty value (and is safe for GC scanning). This assertion may be false if the slot is from the existing butterfly and not a newly allocated one. For example, an array splice operation may shift entries in the existing butterfly, and therefore, result in unused property slots containing valid values. As a result, the slot for the new property may already contain a non-empty value (before the put) that is safe for GC. But because it is non-empty, it will fail the assertion.
We should fix the assertion to only do this empty check if the butterfly is actually newly allocated.
<rdar://problem/42020385>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180729/7419e211/attachment.html>
More information about the webkit-unassigned
mailing list