Title: [88911] trunk/Source/_javascript_Core
- Revision
- 88911
- Author
- [email protected]
- Date
- 2011-06-15 00:08:41 -0700 (Wed, 15 Jun 2011)
Log Message
2011-06-14 Geoffrey Garen <[email protected]>
Reviewed by Dan Bernstein.
Fixed an inavlid ASSERT I found while investigating
<rdar://problem/9580254> Crash in JSC::HandleHeap::finalizeWeakHandles + 92
https://bugs.webkit.org/show_bug.cgi?id=62699
No test since we don't know of a way to get WebCore to deallocate the
next-to-finalize handle, which is also the last handle in the list,
while finalizing the second-to-last handle in the list.
* heap/HandleHeap.h:
(JSC::HandleHeap::deallocate): Don't ASSERT that m_nextToFinalize has a
non-0 next() after updating it, since it is valid to update m_nextToFinalize
to point to the tail sentinel.
Do ASSERT that m_nextToFinalize has a non-0 next() before updating it,
since it is not valid to update m_nextToFinalize to point past the tail
sentinel.
Also, use m_nextToFinalize consistently for clarity.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (88910 => 88911)
--- trunk/Source/_javascript_Core/ChangeLog 2011-06-15 07:02:58 UTC (rev 88910)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-06-15 07:08:41 UTC (rev 88911)
@@ -1,3 +1,26 @@
+2011-06-14 Geoffrey Garen <[email protected]>
+
+ Reviewed by Dan Bernstein.
+
+ Fixed an inavlid ASSERT I found while investigating
+ <rdar://problem/9580254> Crash in JSC::HandleHeap::finalizeWeakHandles + 92
+ https://bugs.webkit.org/show_bug.cgi?id=62699
+
+ No test since we don't know of a way to get WebCore to deallocate the
+ next-to-finalize handle, which is also the last handle in the list,
+ while finalizing the second-to-last handle in the list.
+
+ * heap/HandleHeap.h:
+ (JSC::HandleHeap::deallocate): Don't ASSERT that m_nextToFinalize has a
+ non-0 next() after updating it, since it is valid to update m_nextToFinalize
+ to point to the tail sentinel.
+
+ Do ASSERT that m_nextToFinalize has a non-0 next() before updating it,
+ since it is not valid to update m_nextToFinalize to point past the tail
+ sentinel.
+
+ Also, use m_nextToFinalize consistently for clarity.
+
2011-06-14 Gavin Barraclough <[email protected]>
Reviewed by Sam Weinig.
Modified: trunk/Source/_javascript_Core/heap/HandleHeap.h (88910 => 88911)
--- trunk/Source/_javascript_Core/heap/HandleHeap.h 2011-06-15 07:02:58 UTC (rev 88910)
+++ trunk/Source/_javascript_Core/heap/HandleHeap.h 2011-06-15 07:08:41 UTC (rev 88911)
@@ -163,8 +163,8 @@
{
Node* node = toNode(handle);
if (node == m_nextToFinalize) {
- m_nextToFinalize = node->next();
ASSERT(m_nextToFinalize->next());
+ m_nextToFinalize = m_nextToFinalize->next();
}
SentinelLinkedList<Node>::remove(node);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
