Diff - cd07b473ce384a93ed5dcbae963d2917d7b611a1^! - WebKit

commit	cd07b473ce384a93ed5dcbae963d2917d7b611a1	[log] [tgz]
author	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed Aug 21 20:53:57 2013 +0000
committer	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed Aug 21 20:53:57 2013 +0000
tree	b02cbab00bb210ed0ce36cb2ea2327a33f8663f9
parent	a61dc64e39eaeb4cdf45e97411cd8831d94125a2 [diff] [blame]

Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView https://bugs.webkit.org/show_bug.cgi?id=120099 Source/JavaScriptCore: Reviewed by Mark Hahnenberg. JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since JSDataView may have ordinary JS indexed properties. * runtime/ClassInfo.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::finishCreation): * runtime/JSArrayBufferView.h: (JSC::hasArrayBuffer): * runtime/JSArrayBufferViewInlines.h: (JSC::JSArrayBufferView::buffer): (JSC::JSArrayBufferView::neuter): (JSC::JSArrayBufferView::byteOffset): * runtime/JSCell.cpp: (JSC::JSCell::slowDownAndWasteMemory): * runtime/JSCell.h: * runtime/JSDataView.cpp: (JSC::JSDataView::JSDataView): (JSC::JSDataView::create): (JSC::JSDataView::slowDownAndWasteMemory): * runtime/JSDataView.h: (JSC::JSDataView::buffer): * runtime/JSGenericTypedArrayView.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::::visitChildren): (JSC::::slowDownAndWasteMemory): LayoutTests: Reviewed by Mark Hahnenberg. * fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived-expected.txt: Added. * fast/js/regress/ArrayBuffer-DataView-alloc-large-long-lived.html: Added. * fast/js/regress/ArrayBuffer-DataView-alloc-long-lived-expected.txt: Added. * fast/js/regress/ArrayBuffer-DataView-alloc-long-lived.html: Added. * fast/js/regress/DataView-custom-properties-expected.txt: Added. * fast/js/regress/DataView-custom-properties.html: Added. * fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-large-long-lived.js: Added. * fast/js/regress/script-tests/ArrayBuffer-DataView-alloc-long-lived.js: Added. * fast/js/regress/script-tests/DataView-custom-properties.js: Added. * platform/mac/TestExpectations: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154408 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/runtime/JSCell.cpp b/Source/JavaScriptCore/runtime/JSCell.cpp index b8677c2..8bf754f 100644 --- a/Source/JavaScriptCore/runtime/JSCell.cpp +++ b/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -218,9 +218,10 @@ return false; } -void JSCell::slowDownAndWasteMemory(JSArrayBufferView*) +ArrayBuffer* JSCell::slowDownAndWasteMemory(JSArrayBufferView*) { RELEASE_ASSERT_NOT_REACHED(); + return 0; } PassRefPtr<ArrayBufferView> JSCell::getTypedArrayImpl(JSArrayBufferView*)