Changeset 90282 in webkit


Ignore:
Timestamp:
Jul 1, 2011 3:02:54 PM (13 years ago)
Author:
oliver@apple.com
Message:

2011-07-01 Oliver Hunt <oliver@apple.com>

IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
https://bugs.webkit.org/show_bug.cgi?id=63732

Reviewed by Gavin Barraclough.

Initialise the memory at the head of the new storage so that
GC is safe if triggered by reportExtraMemoryCost.

  • runtime/JSArray.cpp: (JSC::JSArray::increaseVectorPrefixLength):
Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r90273 r90282  
     12011-07-01  Oliver Hunt  <oliver@apple.com>
     2
     3        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
     4        https://bugs.webkit.org/show_bug.cgi?id=63732
     5
     6        Reviewed by Gavin Barraclough.
     7
     8        Initialise the memory at the head of the new storage so that
     9        GC is safe if triggered by reportExtraMemoryCost.
     10
     11        * runtime/JSArray.cpp:
     12        (JSC::JSArray::increaseVectorPrefixLength):
     13
    1142011-07-01  Oliver Hunt  <oliver@apple.com>
    215

  • trunk/Source/JavaScriptCore/runtime/JSArray.cpp

    r88503 r90282  
    639639   
    640640    fastFree(storage->m_allocBase);
    641 
     641    ASSERT(newLength > vectorLength);
     642    unsigned delta = newLength - vectorLength;
     643    for (unsigned i = 0; i < delta; i++)
     644        m_storage->m_vector[i].clear();
    642645    Heap::heap(this)->reportExtraMemoryCost(storageSize(newVectorLength) - storageSize(vectorLength));
    643646   
Note: See TracChangeset for help on using the changeset viewer.