RESOLVED FIXED 102573
JSObject::copyButterfly doesn't handle undecided indexing types correctly 
https://bugs.webkit.org/show_bug.cgi?id=102573
Summary JSObject::copyButterfly doesn't handle undecided indexing types correctly
Mark Hahnenberg
Reported 2012-11-16 17:26:46 PST
We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing types. We should just do the actual memcpy from the old block to the new one. We should also assert that all of the elements are empty in vectors with undecided indexing type.
Attachments
Patch (1.79 KB, patch)
2012-11-16 17:56 PST, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2012-11-16 17:56:48 PST
Created attachment 174790 [details] Patch
WebKit Review Bot
Comment 2 2012-11-26 13:00:55 PST
Comment on attachment 174790 [details] Patch Clearing flags on attachment: 174790 Committed r135756: <http://trac.webkit.org/changeset/135756>
WebKit Review Bot
Comment 3 2012-11-26 13:00:59 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.