Changeset 167729 in webkit


Ignore:
Timestamp:
Apr 23, 2014 3:35:16 PM (10 years ago)
Author:
mhahnenberg@apple.com
Message:

Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
https://bugs.webkit.org/show_bug.cgi?id=132079

Reviewed by Michael Saboff.

Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.

Also added a test that previously triggered this bug.

  • runtime/Arguments.cpp:

(JSC::Arguments::copyBackingStore): D'oh!

  • tests/stress/arguments-copy-register-array-backing-store.js: Added.

(foo):
(bar):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r167709 r167729  
     12014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>
     2
     3        Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
     4        https://bugs.webkit.org/show_bug.cgi?id=132079
     5
     6        Reviewed by Michael Saboff.
     7
     8        Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
     9
     10        Also added a test that previously triggered this bug.
     11
     12        * runtime/Arguments.cpp:
     13        (JSC::Arguments::copyBackingStore): D'oh!
     14        * tests/stress/arguments-copy-register-array-backing-store.js: Added.
     15        (foo):
     16        (bar):
     17
    1182014-04-23  Mark Rowe  <mrowe@apple.com>
    219

  • trunk/Source/JavaScriptCore/runtime/Arguments.cpp

    r167641 r167729  
    7979            memcpy(newRegisterArray, registerArray, bytes);
    8080            thisObject->m_registerArray.setWithoutWriteBarrier(newRegisterArray);
     81            thisObject->m_registers = newRegisterArray - CallFrame::offsetFor(1) - 1;
    8182            visitor.didCopy(registerArray, bytes);
    8283        }
Note: See TracChangeset for help on using the changeset viewer.