Bug 77273

Summary: GC invoked while doing an old JIT property storage reallocation may lead to an object that refers to a dead structure
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch none

Filip Pizlo
Reported 2012-01-28 00:35:17 PST
Patch forthcoming.
Attachments
the patch (4.27 KB, patch)
2012-01-28 00:53 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2012-01-28 00:53:08 PST
Created attachment 124433 [details] the patch
WebKit Review Bot
Comment 2 2012-01-28 02:18:47 PST
Comment on attachment 124433 [details] the patch Clearing flags on attachment: 124433 Committed r106185: <http://trac.webkit.org/changeset/106185>
WebKit Review Bot
Comment 3 2012-01-28 02:18:51 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.