The large block allocator is designed so that only one block should be in a MarkedBlock. In some cases the current code can allocate a large MarkedBlock that has 2 cells. Things fall over dead when this happens. rdar://problem/20764509
Created attachment 252752 [details] Patch
Comment on attachment 252752 [details] Patch r=me
Comment on attachment 252752 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=252752&action=review > Source/JavaScriptCore/ChangeLog:9 > + m_endAtom for large blocks to use the location of the first block + 1. This s/first block/first cell/
(In reply to comment #3) > Comment on attachment 252752 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=252752&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + m_endAtom for large blocks to use the location of the first block + 1. This > > s/first block/first cell/ Fixed locally.
Committed r184019: <http://trac.webkit.org/changeset/184019>