www/webkit-gtk2/files/patch-bugfix-1.1.15


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

--- ./JavaScriptCore/interpreter/Interpreter.cpp.orig   2009-09-21 13:39:42.000000000 +0200
+++ ./JavaScriptCore/interpreter/Interpreter.cpp    2009-09-22 13:04:01.000000000 +0200
@@ -988,6 +988,10 @@ NEVER_INLINE void Interpreter::tryCacheP
 
     // Structure transition, cache transition info
     if (slot.type() == PutPropertySlot::NewProperty) {
+        if (structure->isDictionary()) {
+            vPC[0] = getOpcode(op_put_by_id_generic);
+            return;
+        }
         vPC[0] = getOpcode(op_put_by_id_transition);
         vPC[4] = structure->previousID();
         vPC[5] = structure;
--- ./JavaScriptCore/jit/JITStubs.cpp.orig  2009-09-21 13:39:42.000000000 +0200
+++ ./JavaScriptCore/jit/JITStubs.cpp   2009-09-22 13:04:02.000000000 +0200
@@ -695,7 +695,7 @@ NEVER_INLINE void JITThunks::tryCachePut
     // Structure transition, cache transition info
     if (slot.type() == PutPropertySlot::NewProperty) {
         StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-        if (!prototypeChain->isCacheable()) {
+        if (!prototypeChain->isCacheable() || structure->isDictionary()) {
             ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_put_by_id_generic));
             return;
         }
--- ./LayoutTests/fast/js/resources/transition-cache-dictionary-crash.js.orig   2009-09-22 13:04:06.000000000 +0200
+++ ./LayoutTests/fast/js/resources/transition-cache-dictionary-crash.js    2009-09-22 13:04:06.000000000 +0200
@@ -0,0 +1,19 @@
+description("Test to ensure we don't attempt to cache new property transitions on dictionary.  Passes if you don't crash.");
+
+var cacheableDictionary = {};
+for (var i = 0; i < 500; i++)
+    cacheableDictionary["a" + i] = i;
+
+function f(o) {
+    o.crash = "doom!";
+}
+f({});
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+successfullyParsed = true;
--- ./LayoutTests/fast/js/transition-cache-dictionary-crash-expected.txt.orig   2009-09-22 13:04:06.000000000 +0200
+++ ./LayoutTests/fast/js/transition-cache-dictionary-crash-expected.txt    2009-09-22 13:04:06.000000000 +0200
@@ -0,0 +1,9 @@
+Test to ensure we don't attempt to cache new property transitions on dictionary. Passes if you don't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- ./LayoutTests/fast/js/transition-cache-dictionary-crash.html.orig   2009-09-22 13:04:06.000000000 +0200
+++ ./LayoutTests/fast/js/transition-cache-dictionary-crash.html    2009-09-22 13:04:06.000000000 +0200
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/transition-cache-dictionary-crash.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
\ No newline at end of file