Changeset 20991 in webkit

Timestamp:

Apr 21, 2007 1:09:45 AM (17 years ago)

Author:

bdash

Message:

2007-04-21 Mitz Pettel <​mitz@webkit.org>

Reviewed by Adam.

• fix ​http://bugs.webkit.org/show_bug.cgi?id=13428 REGRESSION (r20973-r20976): Failing ecma/Array/15.4.4.5-3.js

• fix ​http://bugs.webkit.org/show_bug.cgi?id=13429 REGRESSION (r20973-r20976): Crashing in fast/dom/plugin-attributes-enumeration.html

• kjs/array_object.cpp: (ArrayInstance::sort): Free the old storage, not the new one.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• kjs/array_object.cpp (modified) (2 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-04-21  Mitz Pettel  <mitz@webkit.org>
+
+        Reviewed by Adam.
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=13428
+          REGRESSION (r20973-r20976): Failing ecma/Array/15.4.4.5-3.js
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=13429
+          REGRESSION (r20973-r20976): Crashing in fast/dom/plugin-attributes-enumeration.html
+
+        * kjs/array_object.cpp:
+        (ArrayInstance::sort): Free the old storage, not the new one.
+
 2007-04-20  Maciej Stachowiak  <mjs@apple.com>
 

trunk/JavaScriptCore/kjs/array_object.cpp

@@ -318 +318 @@
         memcpy(storageCopy, storage, capacity * sizeof(JSValue*));
         mergesort(storageCopy, lengthNotIncludingUndefined, sizeof(JSValue *), compareByStringForQSort);
+        fastFree(storage);
         storage = storageCopy;
-        fastFree(storage);
         execForCompareByStringForQSort = oldExec;
         return;
@@ -385 +385 @@
         memcpy(storageCopy, storage, capacity * sizeof(JSValue*));
         mergesort(storageCopy, lengthNotIncludingUndefined, sizeof(JSValue *), compareWithCompareFunctionForQSort);
+        fastFree(storage);
         storage = storageCopy;
         compareWithCompareFunctionArguments = oldArgs;