Changeset 80006 in webkit


Ignore:
Timestamp:
Mar 1, 2011 9:41:12 AM (13 years ago)
Author:
ggaren@apple.com
Message:

2011-02-28 Geoffrey Garen <ggaren@apple.com>

Reviewed by Gavin Barraclough.

Past-the-end writes in VM exceptions (caused crashes in r79627)
https://bugs.webkit.org/show_bug.cgi?id=55448


Some exceptions had the wrong structures, so they misoverestimated their
inline storage sizes.

  • runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): Use the right structure.
  • runtime/JSObject.h: (JSC::JSNonFinalObject::JSNonFinalObject): (JSC::JSFinalObject::JSFinalObject): ASSERT that our structure capacity is correct to verify this doesn't happen again.
Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r79999 r80006  
     12011-02-28  Geoffrey Garen  <ggaren@apple.com>
     2
     3        Reviewed by Gavin Barraclough.
     4
     5        Past-the-end writes in VM exceptions (caused crashes in r79627)
     6        https://bugs.webkit.org/show_bug.cgi?id=55448
     7       
     8        Some exceptions had the wrong structures, so they misoverestimated their
     9        inline storage sizes.
     10
     11        * runtime/JSGlobalData.cpp:
     12        (JSC::JSGlobalData::JSGlobalData): Use the right structure.
     13
     14        * runtime/JSObject.h:
     15        (JSC::JSNonFinalObject::JSNonFinalObject):
     16        (JSC::JSFinalObject::JSFinalObject): ASSERT that our structure capacity
     17        is correct to verify this doesn't happen again.
     18
    1192011-03-01  Andras Becsi  <abecsi@webkit.org>
    220
  • trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

    r79904 r80006  
    124124    , stringTable(fastNew<HashTable>(JSC::stringTable))
    125125    , activationStructure(JSActivation::createStructure(jsNull()))
    126     , interruptedExecutionErrorStructure(createEmptyObjectStructure(jsNull()))
    127     , terminatedExecutionErrorStructure(createEmptyObjectStructure(jsNull()))
     126    , interruptedExecutionErrorStructure(JSNonFinalObject::createStructure(jsNull()))
     127    , terminatedExecutionErrorStructure(JSNonFinalObject::createStructure(jsNull()))
    128128    , staticScopeStructure(JSStaticScopeObject::createStructure(jsNull()))
    129129    , strictEvalActivationStructure(StrictEvalActivation::createStructure(jsNull()))
  • trunk/Source/JavaScriptCore/runtime/JSObject.h

    r79355 r80006  
    324324        {
    325325            ASSERT(!(OBJECT_OFFSETOF(JSNonFinalObject, m_inlineStorage) % sizeof(double)));
     326            ASSERT(this->structure()->propertyStorageCapacity() == JSNonFinalObject_inlineStorageCapacity);
    326327        }
    327328
     
    351352        {
    352353            ASSERT(OBJECT_OFFSETOF(JSFinalObject, m_inlineStorage) % sizeof(double) == 0);
     354            ASSERT(this->structure()->propertyStorageCapacity() == JSFinalObject_inlineStorageCapacity);
    353355        }
    354356
Note: See TracChangeset for help on using the changeset viewer.