Changeset 230264 in webkit
- Timestamp:
- Apr 4, 2018 10:42:11 AM (6 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r230226 r230264 1 2018-04-03 Filip Pizlo <fpizlo@apple.com> 2 3 JSArray::appendMemcpy seems to be missing a barrier 4 https://bugs.webkit.org/show_bug.cgi?id=184290 5 6 Reviewed by Mark Lam. 7 8 If you write to an array that may contain pointers and you didn't just allocate it, then you need to 9 barrier right after. 10 11 I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that 12 obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt. 13 14 * runtime/JSArray.cpp: 15 (JSC::JSArray::appendMemcpy): 16 1 17 2018-04-03 Filip Pizlo <fpizlo@apple.com> 2 18 -
trunk/Source/JavaScriptCore/runtime/JSArray.cpp
r230144 r230264 555 555 } else if (type == ArrayWithDouble) 556 556 memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength); 557 else 557 else { 558 558 memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength); 559 vm.heap.writeBarrier(this); 560 } 559 561 560 562 return true;
Note: See TracChangeset
for help on using the changeset viewer.