delta/qt5/qtwebkit.git - code.qt.io: qt/qtwebkit.git

diff options

author	Filip Pizlo <fpizlo@apple.com>	2013-03-27 12:12:01 +0100
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-03-27 15:13:21 +0100
commit	c3d07e7d748ecc5fce9fd5938f1b943369f40ca2 (patch)
tree	54ebbeedcdb136e2ec35301b8b2ed7bcc5d9af08 /Source/JavaScriptCore/heap/WeakSet.cpp
parent	2a43c884303d7a002f6e164aaa5bb7b301425563 (diff)
download	qtwebkit-c3d07e7d748ecc5fce9fd5938f1b943369f40ca2.tar.gz

DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize

https://bugs.webkit.org/show_bug.cgi?id=107081 Reviewed by Michael Saboff. This bug led to the 32_64 backend emitting contiguous allocation code to allocate ArrayStorage arrays. This then led to all manner of heap corruption, since subsequent array accesses would be accessing the contiguous array "as if" it was an arraystorage array. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Ide538ea42dc32f29daf7bfe4b035053f1e9471b1 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139949 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

Diffstat (limited to 'Source/JavaScriptCore/heap/WeakSet.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: