Changeset 26862 in webkit for trunk/JavaScriptCore

Timestamp:

Oct 21, 2007, 10:44:14 PM (18 years ago)

Author:

bdash

Message:

2007-10-21 Mark Rowe <​[email protected]>

Reviewed by Mitz.

Fix ​http://bugs.webkit.org/show_bug.cgi?id=15603
Bug 15603: Regression(r26847): Crash when sorting an empty array from JavaScript

• kjs/array_object.cpp: (KJS::freeStorage): Reinstate null-check that was removed in r26847.

2007-10-21 Mark Rowe <​[email protected]>

Reviewed by Mitz.

Test for ​http://bugs.webkit.org/show_bug.cgi?id=15603
Bug 15603: Regression(r26847): Crash when sorting an empty array from JavaScript

• fast/js/kde/Array-expected.txt:
• fast/js/kde/resources/Array.js: Update to cover sorting an empty array.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• kjs/array_object.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-10-21  Mark Rowe  <[email protected]>
+
+        Reviewed by Mitz.
+
+        Fix http://bugs.webkit.org/show_bug.cgi?id=15603
+        Bug 15603: Regression(r26847): Crash when sorting an empty array from JavaScript
+
+        * kjs/array_object.cpp:
+        (KJS::freeStorage): Reinstate null-check that was removed in r26847.
+
 2007-10-21  Darin Adler  <[email protected]>
 

trunk/JavaScriptCore/kjs/array_object.cpp

@@ -76 +76 @@
 static inline void freeStorage(JSValue** storage)
 {
-  fastFree(storage - 2);
+    if (storage)
+        fastFree(storage - 2);
 }