Changeset 229850 in webkit
- Timestamp:
- Mar 22, 2018 8:12:44 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r229842 r229850 1 2018-03-22 Michael Saboff <msaboff@apple.com> 2 3 Race Condition in arrayProtoFuncReverse() causes wrong results or crash 4 https://bugs.webkit.org/show_bug.cgi?id=183901 5 6 Reviewed by Keith Miller. 7 8 New test. 9 10 * stress/array-reverse-doesnt-clobber.js: Added. 11 (testArrayReverse): 12 (createArrayOfArrays): 13 (createArrayStorage): 14 1 15 2018-03-21 Filip Pizlo <fpizlo@apple.com> 2 16 -
trunk/Source/JavaScriptCore/ChangeLog
r229842 r229850 1 2018-03-22 Michael Saboff <msaboff@apple.com> 2 3 Race Condition in arrayProtoFuncReverse() causes wrong results or crash 4 https://bugs.webkit.org/show_bug.cgi?id=183901 5 6 Reviewed by Keith Miller. 7 8 Added write barriers to ensure the reversed contents are properly marked. 9 10 * runtime/ArrayPrototype.cpp: 11 (JSC::arrayProtoFuncReverse): 12 1 13 2018-03-21 Filip Pizlo <fpizlo@apple.com> 2 14 -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r228576 r229850 840 840 break; 841 841 std::reverse(data, data + length); 842 if (!hasInt32(thisObject->indexingType())) 843 vm.heap.writeBarrier(thisObject); 842 844 return JSValue::encode(thisObject); 843 845 } … … 860 862 auto data = storage.vector().data(); 861 863 std::reverse(data, data + length); 864 vm.heap.writeBarrier(thisObject); 862 865 return JSValue::encode(thisObject); 863 866 }
Note: See TracChangeset
for help on using the changeset viewer.