Bug 34321

Summary: JSC is failing to propagate anonymous slot count on some transitions
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: lantzwr, vdanen
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: OS X 10.5   
Attachments:
Description Flags
Patch
none
Patch mjs: review+

Oliver Hunt
Reported 2010-01-29 02:45:24 PST
JSC is failing to propagate anonymous slot count on some transitions
Attachments
Patch (12.05 KB, patch)
2010-01-29 02:56 PST, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
Patch (19.13 KB, patch)
2010-02-01 00:13 PST, Oliver Hunt 		mjs: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2010-01-29 02:56:30 PST
Created attachment 47694 [details] Patch
Darin Adler
Comment 2 2010-01-29 09:24:45 PST
Comment on attachment 47694 [details] Patch > + push(@implContent, " ASSERT((int)(this->structure()->anonymousSlotCount()) >= (int)AnonymousSlotCount);\n"); Why are these casts needed? If they are needed, why use C-style casts instead of C++-style?
Oliver Hunt
Comment 3 2010-01-29 11:47:08 PST
Committed r54073: <http://trac.webkit.org/changeset/54073>
Mark Rowe (bdash)
Comment 4 2010-01-29 21:31:09 PST
I rolled this out in r54100 as it introduced many thousands of leaks.
Oliver Hunt
Comment 5 2010-02-01 00:13:59 PST
Created attachment 47817 [details] Patch
Maciej Stachowiak
Comment 6 2010-02-01 00:35:46 PST
Comment on attachment 47817 [details] Patch r=me
Oliver Hunt
Comment 7 2010-02-01 01:42:06 PST
*** Bug 34403 has been marked as a duplicate of this bug. ***
Oliver Hunt
Comment 8 2010-02-01 01:43:15 PST
Committed r54129
Vincent Danen
Comment 9 2010-06-28 10:34:38 PDT
This has been given the name CVE-2010-1387
Note You need to log in before you can comment on or make changes to this bug.