Ignore:
Timestamp:
Mar 1, 2011, 9:41:12 AM (14 years ago)
Author:
[email protected]
Message:

2011-02-28 Geoffrey Garen <[email protected]>

Reviewed by Gavin Barraclough.

Past-the-end writes in VM exceptions (caused crashes in r79627)
https://bugs.webkit.org/show_bug.cgi?id=55448


Some exceptions had the wrong structures, so they misoverestimated their
inline storage sizes.

  • runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): Use the right structure.
  • runtime/JSObject.h: (JSC::JSNonFinalObject::JSNonFinalObject): (JSC::JSFinalObject::JSFinalObject): ASSERT that our structure capacity is correct to verify this doesn't happen again.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSObject.h

    r79355 r80006  
    324324        {
    325325            ASSERT(!(OBJECT_OFFSETOF(JSNonFinalObject, m_inlineStorage) % sizeof(double)));
     326            ASSERT(this->structure()->propertyStorageCapacity() == JSNonFinalObject_inlineStorageCapacity);
    326327        }
    327328
     
    351352        {
    352353            ASSERT(OBJECT_OFFSETOF(JSFinalObject, m_inlineStorage) % sizeof(double) == 0);
     354            ASSERT(this->structure()->propertyStorageCapacity() == JSFinalObject_inlineStorageCapacity);
    353355        }
    354356
Note: See TracChangeset for help on using the changeset viewer.