Skip to content
Permalink
Browse files
2011-07-01 Oliver Hunt <oliver@apple.com>
        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
        https://bugs.webkit.org/show_bug.cgi?id=63732

        Reviewed by Gavin Barraclough.

        Initialise the memory at the head of the new storage so that
        GC is safe if triggered by reportExtraMemoryCost.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorPrefixLength):

Canonical link: https://commits.webkit.org/79549@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@90282 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
ojhunt committed Jul 1, 2011
1 parent 3c0d7f4 commit 201049a8ad9b6bf16a9e070cd9bad9372775d25b
Showing 2 changed files with 17 additions and 1 deletion.
@@ -1,3 +1,16 @@
2011-07-01 Oliver Hunt <oliver@apple.com>

IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
https://bugs.webkit.org/show_bug.cgi?id=63732

Reviewed by Gavin Barraclough.

Initialise the memory at the head of the new storage so that
GC is safe if triggered by reportExtraMemoryCost.

* runtime/JSArray.cpp:
(JSC::JSArray::increaseVectorPrefixLength):

2011-07-01 Oliver Hunt <oliver@apple.com>

GC sweep can occur before an object is completely initialised
@@ -638,7 +638,10 @@ bool JSArray::increaseVectorPrefixLength(unsigned newLength)
m_vectorLength = newLength;

fastFree(storage->m_allocBase);

ASSERT(newLength > vectorLength);
unsigned delta = newLength - vectorLength;
for (unsigned i = 0; i < delta; i++)
m_storage->m_vector[i].clear();
Heap::heap(this)->reportExtraMemoryCost(storageSize(newVectorLength) - storageSize(vectorLength));

return true;

0 comments on commit 201049a

Please sign in to comment.