Butterfly::growArrayRight shouldn't be called on null Butterfly objects

https://bugs.webkit.org/show_bug.cgi?id=105221

Reviewed by Filip Pizlo.

Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly
objects purely by coincidence. We should add a new static function that null checks the old
Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for
use in the couple of places in JSObject that expect such behavior to work.

* runtime/Butterfly.h:
(Butterfly):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createOrGrowArrayRight):
(JSC):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137961 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: I643bc988f3e25b6f05be4e99f19fd2dc609152e4
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

4 files changed, 33 insertions, 3 deletions

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 411570a9f..350874b43 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,24 @@
+2012-12-17  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Butterfly::growArrayRight shouldn't be called on null Butterfly objects
+        https://bugs.webkit.org/show_bug.cgi?id=105221
+
+        Reviewed by Filip Pizlo.
+
+        Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 
+        objects purely by coincidence. We should add a new static function that null checks the old 
+        Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 
+        use in the couple of places in JSObject that expect such behavior to work.
+
+        * runtime/Butterfly.h:
+        (Butterfly):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createOrGrowArrayRight):
+        (JSC):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+
 2013-01-02  Simon Hausmann  <simon.hausmann@digia.com>
 
         [MinGW-w64] Centralize workaround for pow() implementation
diff --git a/Source/JavaScriptCore/runtime/Butterfly.h b/Source/JavaScriptCore/runtime/Butterfly.h
index 4b8d53f7e..bbbda9461 100644
--- a/Source/JavaScriptCore/runtime/Butterfly.h
+++ b/Source/JavaScriptCore/runtime/Butterfly.h
@@ -110,7 +110,9 @@ public:
 
     void* base(size_t preCapacity, size_t propertyCapacity) { return propertyStorage() - propertyCapacity - preCapacity; }
     void* base(Structure*);
-    
+
+    static Butterfly* createOrGrowArrayRight(Butterfly*, JSGlobalData&, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes); 
+
     // The butterfly reallocation methods perform the reallocation itself but do not change any
     // of the meta-data to reflect that the reallocation occurred. Note that this set of
     // methods is not exhaustive and is not intended to encapsulate all possible allocation
diff --git a/Source/JavaScriptCore/runtime/ButterflyInlines.h b/Source/JavaScriptCore/runtime/ButterflyInlines.h
index 9167497a4..f01458950 100644
--- a/Source/JavaScriptCore/runtime/ButterflyInlines.h
+++ b/Source/JavaScriptCore/runtime/ButterflyInlines.h
@@ -99,6 +99,13 @@ inline Butterfly* Butterfly::growPropertyStorage(JSGlobalData& globalData, Struc
         globalData, oldStructure, oldStructure->outOfLineCapacity(), newPropertyCapacity);
 }
 
+inline Butterfly* Butterfly::createOrGrowArrayRight(Butterfly* oldButterfly, JSGlobalData& globalData, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes)
+{
+    if (!oldButterfly)
+        return create(globalData, 0, propertyCapacity, true, IndexingHeader(), newIndexingPayloadSizeInBytes);
+    return oldButterfly->growArrayRight(globalData, oldStructure, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes, newIndexingPayloadSizeInBytes);
+}
+
 inline Butterfly* Butterfly::growArrayRight(JSGlobalData& globalData, Structure* oldStructure, size_t propertyCapacity, bool hadIndexingHeader, size_t oldIndexingPayloadSizeInBytes, size_t newIndexingPayloadSizeInBytes)
 {
     ASSERT_UNUSED(oldStructure, !indexingHeader()->preCapacity(oldStructure));
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index dc73e04b0..1b3d71cfd 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -610,7 +610,7 @@ Butterfly* JSObject::createInitialIndexedStorage(JSGlobalData& globalData, unsig
     ASSERT(!structure()->needsSlowPutIndexing());
     ASSERT(!indexingShouldBeSparse());
     unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
-    Butterfly* newButterfly = m_butterfly->growArrayRight(
+    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(m_butterfly, 
         globalData, structure(), structure()->outOfLineCapacity(), false, 0,
         elementSize * vectorLength);
     newButterfly->setPublicLength(length);
@@ -656,7 +656,7 @@ ArrayStorage* JSObject::createArrayStorage(JSGlobalData& globalData, unsigned le
 {
     IndexingType oldType = structure()->indexingType();
     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
-    Butterfly* newButterfly = m_butterfly->growArrayRight(
+    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(m_butterfly, 
         globalData, structure(), structure()->outOfLineCapacity(), false, 0,
         ArrayStorage::sizeFor(vectorLength));
     if (!newButterfly)