Check that objects have inline storage before trying to copy it

https://bugs.webkit.org/show_bug.cgi?id=273590 rdar://127227132 Reviewed by Yusuke Suzuki. When copying objects via this code path, we copy over the inlineStorage unconditionally. This is fine in release mode since when the inlineStorage isn't present the backing memcpy is 0-width and therefore does not affect memory, but in debug mode we hit an assert when trying to get the value for source->inlineStorage. * Source/JavaScriptCore/runtime/ObjectConstructorInlines.h: (JSC::tryCreateObjectViaCloning): Canonical link: https://commits.webkit.org/278270@main
WebKit · May 2, 2024 · eba5b36 · eba5b36
1 parent f33389c
commit eba5b36
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h b/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h
@@ -265,7 +265,8 @@ ALWAYS_INLINE JSObject* tryCreateObjectViaCloning(VM& vm, JSGlobalObject* global
         gcSafeMemcpy(newButterfly->propertyStorage() - propertyCapacity, source->butterfly()->propertyStorage() - propertyCapacity, propertyCapacity * sizeof(EncodedJSValue));
     }
     JSFinalObject* target = JSFinalObject::createWithButterfly(vm, sourceStructure, newButterfly);
-    gcSafeMemcpy(target->inlineStorage(), source->inlineStorage(), sourceStructure->inlineCapacity() * sizeof(EncodedJSValue));
+    if (sourceStructure->inlineCapacity() > 0)
+        gcSafeMemcpy(target->inlineStorage(), source->inlineStorage(), sourceStructure->inlineCapacity() * sizeof(EncodedJSValue));
     vm.writeBarrier(target);
 
     return target;