Commit 3343b393 authored by oliver@apple.com's avatar oliver@apple.com

2011-07-01 Oliver Hunt <oliver@apple.com>

        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
        https://bugs.webkit.org/show_bug.cgi?id=63732

        Reviewed by Gavin Barraclough.

        Initialise the memory at the head of the new storage so that
        GC is safe if triggered by reportExtraMemoryCost.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorPrefixLength):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@90282 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c30ce269
2011-07-01 Oliver Hunt <oliver@apple.com>
IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
https://bugs.webkit.org/show_bug.cgi?id=63732
Reviewed by Gavin Barraclough.
Initialise the memory at the head of the new storage so that
GC is safe if triggered by reportExtraMemoryCost.
* runtime/JSArray.cpp:
(JSC::JSArray::increaseVectorPrefixLength):
2011-07-01 Oliver Hunt <oliver@apple.com>
GC sweep can occur before an object is completely initialised
......
......@@ -638,7 +638,10 @@ bool JSArray::increaseVectorPrefixLength(unsigned newLength)
m_vectorLength = newLength;
fastFree(storage->m_allocBase);
ASSERT(newLength > vectorLength);
unsigned delta = newLength - vectorLength;
for (unsigned i = 0; i < delta; i++)
m_storage->m_vector[i].clear();
Heap::heap(this)->reportExtraMemoryCost(storageSize(newVectorLength) - storageSize(vectorLength));
return true;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment