WebKit Bugzilla
Attachment 343005 Details for
Bug 186795
: JSImmutableButterfly should assert m_header is adjacent to the data
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186795-20180618190753.patch (text/plain), 2.08 KB, created by
Keith Miller
on 2018-06-18 19:07:56 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-06-18 19:07:56 PDT
Size:
2.08 KB
patch
obsolete
>Subversion Revision: 232953 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 13a25dbabfc1f12eed06dc5adf850f088a584f4f..e96b9a8facfbb521f8c6963448dd27d8a5418af3 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,13 @@ >+2018-06-18 Keith Miller <keith_miller@apple.com> >+ >+ JSImmutableButterfly should assert m_header is adjacent to the data >+ https://bugs.webkit.org/show_bug.cgi?id=186795 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/JSImmutableButterfly.cpp: >+ * runtime/JSImmutableButterfly.h: >+ > 2018-06-18 Keith Miller <keith_miller@apple.com> > > Unreviewed, fix the build... >diff --git a/Source/JavaScriptCore/runtime/JSImmutableButterfly.cpp b/Source/JavaScriptCore/runtime/JSImmutableButterfly.cpp >index d25bfc606b9ef3d4c037f0cc8ad424abc930336f..b38098c72ceb2c68e8812dfac6bc64cd5dd2c822 100644 >--- a/Source/JavaScriptCore/runtime/JSImmutableButterfly.cpp >+++ b/Source/JavaScriptCore/runtime/JSImmutableButterfly.cpp >@@ -54,4 +54,6 @@ void JSImmutableButterfly::copyToArguments(ExecState* exec, VirtualRegister firs > } > } > >+static_assert(JSImmutableButterfly::offsetOfData() == sizeof(JSImmutableButterfly), "m_header needs to be adjacent to Data"); >+ > } // namespace JSC >diff --git a/Source/JavaScriptCore/runtime/JSImmutableButterfly.h b/Source/JavaScriptCore/runtime/JSImmutableButterfly.h >index 0a69ec7165ea8573eedb83a3cf39302c8d8792ff..3ace0ad3003983980297d7f025035acbd887ceeb 100644 >--- a/Source/JavaScriptCore/runtime/JSImmutableButterfly.h >+++ b/Source/JavaScriptCore/runtime/JSImmutableButterfly.h >@@ -101,12 +101,12 @@ public: > toButterfly()->contiguous().atUnsafe(index).set(vm, this, value); > } > >-private: > static constexpr size_t offsetOfData() > { > return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(JSImmutableButterfly)); > } > >+private: > static Checked<size_t, RecordOverflow> allocationSize(Checked<size_t, RecordOverflow> numItems) > { > return offsetOfData() + numItems * sizeof(WriteBarrier<Unknown>);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343005">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186795
: 343005