Ignore:
Timestamp:
Sep 14, 2012, 4:13:07 PM (13 years ago)
Author:
[email protected]
Message:

bbc homepage crashes immediately
https://bugs.webkit.org/show_bug.cgi?id=96812
<rdar://problem/12081386>

Reviewed by Oliver Hunt.

If you use the old storage pointer to write to space you thought was newly allocated,
you're going to have a bad time.

  • runtime/JSArray.cpp:

(JSC::JSArray::unshiftCount):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r128658 r128667  
     12012-09-14  Filip Pizlo  <[email protected]>
     2
     3        bbc homepage crashes immediately
     4        https://bugs.webkit.org/show_bug.cgi?id=96812
     5        <rdar://problem/12081386>
     6
     7        Reviewed by Oliver Hunt.
     8
     9        If you use the old storage pointer to write to space you thought was newly allocated,
     10        you're going to have a bad time.
     11
     12        * runtime/JSArray.cpp:
     13        (JSC::JSArray::unshiftCount):
     14
    1152012-09-14  Adam Barth  <[email protected]>
    216
Note: See TracChangeset for help on using the changeset viewer.