Commit c9f16125 authored by fpizlo@apple.com's avatar fpizlo@apple.com

bbc homepage crashes immediately

https://bugs.webkit.org/show_bug.cgi?id=96812
<rdar://problem/12081386>

Reviewed by Oliver Hunt.

If you use the old storage pointer to write to space you thought was newly allocated,
you're going to have a bad time.

* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCount):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128667 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 65db9806
2012-09-14 Filip Pizlo <fpizlo@apple.com>
bbc homepage crashes immediately
https://bugs.webkit.org/show_bug.cgi?id=96812
<rdar://problem/12081386>
Reviewed by Oliver Hunt.
If you use the old storage pointer to write to space you thought was newly allocated,
you're going to have a bad time.
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCount):
2012-09-14 Adam Barth <abarth@webkit.org>
Remove webkitPostMessage
......
......@@ -549,7 +549,9 @@ bool JSArray::unshiftCount(ExecState* exec, unsigned count)
storage = m_butterfly->arrayStorage();
storage->m_indexBias -= count;
storage->setVectorLength(storage->vectorLength() + count);
} else if (!unshiftCountSlowCase(exec->globalData(), count)) {
} else if (unshiftCountSlowCase(exec->globalData(), count))
storage = arrayStorage();
else {
throwOutOfMemoryError(exec);
return true;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment