[webkit-changes] [135756] trunk/Source/JavaScriptCore

[mhahnenberg]

Title: [135756] trunk/Source/_javascript_Core

Revision

135756

Author

mhahnenb...@apple.com

Date

2012-11-26 13:00:07 -0800 (Mon, 26 Nov 2012)

Log Message

JSObject::copyButterfly doesn't handle undecided indexing types correctly
https://bugs.webkit.org/show_bug.cgi?id=102573

Reviewed by Filip Pizlo.

We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks
during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing
types. We should just do the actual memcpy from the old block to the new one.

* runtime/JSObject.cpp:
(JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (135755 => 135756)

--- trunk/Source/_javascript_Core/ChangeLog	2012-11-26 20:49:06 UTC (rev 135755)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-11-26 21:00:07 UTC (rev 135756)
@@ -1,3 +1,17 @@
+2012-11-26  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        JSObject::copyButterfly doesn't handle undecided indexing types correctly
+        https://bugs.webkit.org/show_bug.cgi?id=102573
+
+        Reviewed by Filip Pizlo.
+
+        We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks 
+        during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing 
+        types. We should just do the actual memcpy from the old block to the new one. 
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.
+
 2012-11-26  Julien BRIANCEAU   <jbrianc...@nds.com>
 
         [sh4] _javascript_Core JIT build is broken since r135330

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (135755 => 135756)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-11-26 20:49:06 UTC (rev 135755)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-11-26 21:00:07 UTC (rev 135756)
@@ -129,13 +129,7 @@
             size_t count;
             
             switch (structure->indexingType()) {
-            case ALL_UNDECIDED_INDEXING_TYPES: {
-                currentTarget = 0;
-                currentSource = 0;
-                count = 0;
-                break;
-            }
-                
+            case ALL_UNDECIDED_INDEXING_TYPES:
             case ALL_CONTIGUOUS_INDEXING_TYPES:
             case ALL_INT32_INDEXING_TYPES:
             case ALL_DOUBLE_INDEXING_TYPES: {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes