Changeset 230410 in webkit
- Timestamp:
- Apr 9, 2018 5:14:22 AM (6 years ago)
- Location:
- releases/WebKitGTK/webkit-2.20
- Files:
-
- 1 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/array-reverse-doesnt-clobber.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog
r229271 r230410 1 2018-03-22 Michael Saboff <msaboff@apple.com> 2 3 Race Condition in arrayProtoFuncReverse() causes wrong results or crash 4 https://bugs.webkit.org/show_bug.cgi?id=183901 5 6 Reviewed by Keith Miller. 7 8 New test. 9 10 * stress/array-reverse-doesnt-clobber.js: Added. 11 (testArrayReverse): 12 (createArrayOfArrays): 13 (createArrayStorage): 14 1 15 2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com> 2 16 -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/ChangeLog
r230397 r230410 1 2018-03-22 Michael Saboff <msaboff@apple.com> 2 3 Race Condition in arrayProtoFuncReverse() causes wrong results or crash 4 https://bugs.webkit.org/show_bug.cgi?id=183901 5 6 Reviewed by Keith Miller. 7 8 Added write barriers to ensure the reversed contents are properly marked. 9 10 * runtime/ArrayPrototype.cpp: 11 (JSC::arrayProtoFuncReverse): 12 1 13 2018-03-05 Mark Lam <mark.lam@apple.com> 2 14 -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r225150 r230410 838 838 break; 839 839 std::reverse(data, data + length); 840 if (!hasInt32(thisObject->indexingType())) 841 vm.heap.writeBarrier(thisObject); 840 842 return JSValue::encode(thisObject); 841 843 } … … 858 860 auto data = storage.vector().data(); 859 861 std::reverse(data, data + length); 862 vm.heap.writeBarrier(thisObject); 860 863 return JSValue::encode(thisObject); 861 864 }
Note: See TracChangeset
for help on using the changeset viewer.
