Changeset 36753 in webkit for trunk/JavaScriptCore/kjs/Arguments.cpp

Timestamp:

Sep 21, 2008, 5:42:11 PM (17 years ago)

Author:

Darin Adler

Message:

2008-09-21 Darin Adler <Darin Adler>

Reviewed by Cameron Zwarich.

• fix crash logging into Gmail due to recent Arguments change

• kjs/Arguments.cpp: (JSC::Arguments::Arguments): Fix window where mark() function could see d->extraArguments with uninitialized contents. (JSC::Arguments::mark): Check d->extraArguments for 0 to handle two cases: 1) Inside the constructor before it's initialized. 2) numArguments <= numParameters.

File:

• trunk/JavaScriptCore/kjs/Arguments.cpp (modified) (2 diffs)

trunk/JavaScriptCore/kjs/Arguments.cpp

@@ -65 +65 @@
     if (d->numArguments > d->numParameters) {
         unsigned numExtraArguments = d->numArguments - d->numParameters;
-        d->extraArguments.set(new JSValue*[numExtraArguments]);
+        JSValue** extraArguments = new JSValue*[numExtraArguments];
         for (unsigned i = 0; i < numExtraArguments; ++i)
-            d->extraArguments[i] = argv[d->numParameters + i].getJSValue();
+            extraArguments[i] = argv[d->numParameters + i].getJSValue();
+        d->extraArguments.set(extraArguments);
     }
 }
@@ -79 +80 @@
     JSObject::mark();
 
-    unsigned numExtraArguments = d->numArguments - d->numParameters;
-    for (unsigned i = 0; i < numExtraArguments; ++i) {
-        if (!d->extraArguments[i]->marked())
-            d->extraArguments[i]->mark();
+    if (d->extraArguments) {
+        unsigned numExtraArguments = d->numArguments - d->numParameters;
+        for (unsigned i = 0; i < numExtraArguments; ++i) {
+            if (!d->extraArguments[i]->marked())
+                d->extraArguments[i]->mark();
+        }
     }