Changeset 36106 in webkit for trunk/JavaScriptCore


Ignore:
Timestamp:
Sep 4, 2008, 8:11:54 PM (17 years ago)
Author:
[email protected]
Message:

2008-09-04 Gavin Barraclough <[email protected]>

Reviewed by Geoffrey Garen.


Fixed an off-by-one error that would cause the StructureIDChain to
be one object too short.


Can't construct a test case because other factors make this not crash
(yet!).

  • kjs/StructureID.cpp: (KJS::StructureIDChain::StructureIDChain):
Location:
trunk/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r36104 r36106  
     12008-09-04  Gavin Barraclough  <[email protected]>
     2
     3        Reviewed by Geoffrey Garen.
     4       
     5        Fixed an off-by-one error that would cause the StructureIDChain to
     6        be one object too short.
     7       
     8        Can't construct a test case because other factors make this not crash
     9        (yet!).
     10
     11        * kjs/StructureID.cpp:
     12        (KJS::StructureIDChain::StructureIDChain):
     13
    1142008-09-04  Kevin Ollivier  <[email protected]>
    215

  • trunk/JavaScriptCore/kjs/StructureID.cpp

    r36032 r36106  
    110110StructureIDChain::StructureIDChain(StructureID* structureID)
    111111{
    112     size_t size = 0;
     112    size_t size = 1;
    113113
    114114    StructureID* tmp = structureID;
     
    117117        tmp = static_cast<JSCell*>(tmp->prototype())->structureID();
    118118    }
    119 
     119   
    120120    m_vector.set(new RefPtr<StructureID>[size]);
    121121
    122     for (size_t i = 0; i < size; ++i) {
     122    size_t i;
     123    for (i = 0; i < size - 1; ++i) {
    123124        m_vector[i] = structureID;
    124125        structureID = static_cast<JSObject*>(structureID->prototype())->structureID();
    125126    }
     127    m_vector[i] = structureID;
    126128}
    127129
Note: See TracChangeset for help on using the changeset viewer.