Bug 102573 - JSObject::copyButterfly doesn't handle undecided indexing types correctly
Summary: JSObject::copyButterfly doesn't handle undecided indexing types correctly
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-16 17:26 PST by Mark Hahnenberg
Modified: 2012-11-26 13:00 PST (History)
1 user (show)

See Also:

Attachments
Patch (1.79 KB, patch)
2012-11-16 17:56 PST, Mark Hahnenberg 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2012-11-16 17:26:46 PST 
We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing types. We should just do the actual memcpy from the old block to the new one. We should also assert that all of the elements are empty in vectors with undecided indexing type.
Comment 1 Mark Hahnenberg 2012-11-16 17:56:48 PST 
Created attachment 174790 [details]
Patch
Comment 2 WebKit Review Bot 2012-11-26 13:00:55 PST 
Comment on attachment 174790 [details]
Patch

Clearing flags on attachment: 174790

Committed r135756: <http://trac.webkit.org/changeset/135756>
Comment 3 WebKit Review Bot 2012-11-26 13:00:59 PST 
All reviewed patches have been landed.  Closing bug.