Changeset 166217 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.cpp

Timestamp:

Mar 24, 2014, 8:27:46 PM (11 years ago)

Author:

[email protected]

Message:

Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
when WebKit is compiled with fcatch-undefined-behavior
​https://bugs.webkit.org/show_bug.cgi?id=130652

Reviewed by Mark Hahnenberg.

Use a static member function because the butterfly we pass in might be
NULL, and passing NULL to a member function is undefined behavior.

Stylistically, I think this new way reads a little more clearly, since it
matches createOrGrowArrayRight, and it helps to convey that m_butterfly
might not exist yet.

• runtime/Butterfly.h:
• runtime/ButterflyInlines.h:

(JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
because we might create. Split out the create path to avoid using NULL
in a member function expression.

Removed some unused versions of this function.

• runtime/JSObject.cpp:

(JSC::JSObject::growOutOfLineStorage): Updated for interface change.

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2439 +2439 @@
     // capacity, since we might have already mutated the structure in-place.
     
-    return m_butterfly->growPropertyStorage(vm, this, structure(vm), oldSize, newSize);
+    return Butterfly::createOrGrowPropertyStorage(m_butterfly.get(), vm, this, structure(vm), oldSize, newSize);
 }