delta/qt5/qtwebkit.git - code.qt.io: qt/qtwebkit.git

diff options

author	Mark Hahnenberg <mhahnenberg@apple.com>	2014-09-29 18:13:42 +0200
committer	Allan Sandfeld Jensen <allan.jensen@digia.com>	2014-09-30 17:48:46 +0200
commit	4d767a25f6169648580c4435cb5b7366e7ff5ee0 (patch)
tree	535bed3a85abefd09e76864a1254d9689d7109f6 /Source/JavaScriptCore/API/JSObjectRef.cpp
parent	3a65cdfd6a28193937b338d6cc74be20c3f8d25b (diff)
download	qtwebkit-4d767a25f6169648580c4435cb5b7366e7ff5ee0.tar.gz

(un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole

https://bugs.webkit.org/show_bug.cgi?id=121717 Reviewed by Oliver Hunt. Source/JavaScriptCore: This bug caused the array to become corrupted. We now check for holes before we start moving things, and start moving things only once we've determined that there are none. * runtime/JSArray.cpp: (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): Change-Id: I9948bfa2c9b4a345076f7f2b4e50a566f521b6fe git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156214 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

Diffstat (limited to 'Source/JavaScriptCore/API/JSObjectRef.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: