Changeset 36106

Show
Ignore:
Timestamp:
09/04/08 20:11:54 (3 months ago)
Author:
ggaren@apple.com
Message:

2008-09-04 Gavin Barraclough <barraclough@apple.com>

Reviewed by Geoffrey Garen.


Fixed an off-by-one error that would cause the StructureIDChain to
be one object too short.


Can't construct a test case because other factors make this not crash
(yet!).

  • kjs/StructureID.cpp: (KJS::StructureIDChain::StructureIDChain):
Location:
trunk/JavaScriptCore
Files:
2 modified

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r36104 r36106  
     12008-09-04  Gavin Barraclough  <barraclough@apple.com> 
     2 
     3        Reviewed by Geoffrey Garen. 
     4         
     5        Fixed an off-by-one error that would cause the StructureIDChain to 
     6        be one object too short. 
     7         
     8        Can't construct a test case because other factors make this not crash 
     9        (yet!). 
     10 
     11        * kjs/StructureID.cpp: 
     12        (KJS::StructureIDChain::StructureIDChain): 
     13 
    1142008-09-04  Kevin Ollivier  <kevino@theolliviers.com> 
    215 

  • trunk/JavaScriptCore/kjs/StructureID.cpp

    r36032 r36106  
    110110StructureIDChain::StructureIDChain(StructureID* structureID) 
    111111{ 
    112     size_t size = 0; 
     112    size_t size = 1; 
    113113 
    114114    StructureID* tmp = structureID; 
     
    117117        tmp = static_cast<JSCell*>(tmp->prototype())->structureID(); 
    118118    } 
    119  
     119     
    120120    m_vector.set(new RefPtr<StructureID>[size]); 
    121121 
    122     for (size_t i = 0; i < size; ++i) { 
     122    size_t i; 
     123    for (i = 0; i < size - 1; ++i) { 
    123124        m_vector[i] = structureID; 
    124125        structureID = static_cast<JSObject*>(structureID->prototype())->structureID(); 
    125126    } 
     127    m_vector[i] = structureID; 
    126128} 
    127129