[webkit-changes] [98571] branches/safari-534.52-branch/Source/JavaScriptCore

[lforschler]

Title: [98571] branches/safari-534.52-branch/Source/_javascript_Core

Revision

98571

Author

lforsch...@apple.com

Date

2011-10-27 07:51:32 -0700 (Thu, 27 Oct 2011)

Log Message

Merge fix for https://bugs.webkit.org/show_bug.cgi?id=70976

Modified Paths

• branches/safari-534.52-branch/Source/_javascript_Core/ChangeLog
• branches/safari-534.52-branch/Source/_javascript_Core/runtime/JSCell.h

Diff

Modified: branches/safari-534.52-branch/Source/_javascript_Core/ChangeLog (98570 => 98571)

--- branches/safari-534.52-branch/Source/_javascript_Core/ChangeLog	2011-10-27 14:36:59 UTC (rev 98570)
+++ branches/safari-534.52-branch/Source/_javascript_Core/ChangeLog	2011-10-27 14:51:32 UTC (rev 98571)
@@ -1,3 +1,24 @@
+2011-10-26  Lucas Forschler  <lforsch...@apple.com>
+
+    Merge fix for 10351765.
+    
+    2011-10-26  Oliver Hunt  <oli...@apple.com>
+    
+            Restore structure-clearing behaviour of allocateCell<>
+            https://bugs.webkit.org/show_bug.cgi?id=70976
+    
+            This restores the logic that allows the markstack to filter
+            live objects that have not yet been initialised.
+    
+            * runtime/JSCell.h:
+            (JSC::JSCell::clearStructure):
+               Validation-safe method to clear a cell's structure.
+            (JSC::allocateCell):
+               Call the above method.
+            * runtime/Structure.h:
+            (JSC::MarkStack::internalAppend):
+               Don't visit cells that haven't been initialised.
+    
 2011-10-21  Lucas Forschler  <lforsch...@apple.com>
 
     Merge 94298

Modified: branches/safari-534.52-branch/Source/_javascript_Core/runtime/JSCell.h (98570 => 98571)

--- branches/safari-534.52-branch/Source/_javascript_Core/runtime/JSCell.h	2011-10-27 14:36:59 UTC (rev 98570)
+++ branches/safari-534.52-branch/Source/_javascript_Core/runtime/JSCell.h	2011-10-27 14:51:32 UTC (rev 98571)
@@ -93,6 +93,7 @@
         virtual bool isPropertyNameIterator() const { return false; }
 
         Structure* structure() const;
+        void clearStructure() { m_structure.clear(); }
 
         // Extracting the value.
         bool getString(ExecState* exec, UString&) const;
@@ -349,7 +350,9 @@
 
     template <typename T> void* allocateCell(Heap& heap)
     {
-        return heap.allocate(sizeof(T));
+        JSCell* result = static_cast<JSCell*>(heap.allocate(sizeof(T)));
+        result->clearStructure();
+        return result;
     }
         
 } // namespace JSC

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes