-
fpizlo@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=107081 Reviewed by Michael Saboff. This bug led to the 32_64 backend emitting contiguous allocation code to allocate ArrayStorage arrays. This then led to all manner of heap corruption, since subsequent array accesses would be accessing the contiguous array "as if" it was an arraystorage array. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139949 268f45cc-cd09-0410-ab3c-d52691b4dbfc
50afd7cb