Changeset 128667 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Sep 14, 2012, 4:13:07 PM (13 years ago)
Author:
[email protected]
Message:

bbc homepage crashes immediately
https://bugs.webkit.org/show_bug.cgi?id=96812
<rdar://problem/12081386>

Reviewed by Oliver Hunt.

If you use the old storage pointer to write to space you thought was newly allocated,
you're going to have a bad time.

  • runtime/JSArray.cpp:

(JSC::JSArray::unshiftCount):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r128658 r128667  
     12012-09-14  Filip Pizlo  <[email protected]>
     2
     3        bbc homepage crashes immediately
     4        https://bugs.webkit.org/show_bug.cgi?id=96812
     5        <rdar://problem/12081386>
     6
     7        Reviewed by Oliver Hunt.
     8
     9        If you use the old storage pointer to write to space you thought was newly allocated,
     10        you're going to have a bad time.
     11
     12        * runtime/JSArray.cpp:
     13        (JSC::JSArray::unshiftCount):
     14
    1152012-09-14  Adam Barth  <[email protected]>
    216

  • trunk/Source/JavaScriptCore/runtime/JSArray.cpp

    r128428 r128667  
    550550        storage->m_indexBias -= count;
    551551        storage->setVectorLength(storage->vectorLength() + count);
    552     } else if (!unshiftCountSlowCase(exec->globalData(), count)) {
     552    } else if (unshiftCountSlowCase(exec->globalData(), count))
     553        storage = arrayStorage();
     554    else {
    553555        throwOutOfMemoryError(exec);
    554556        return true;
Note: See TracChangeset for help on using the changeset viewer.