[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

barraclough at apple.com barraclough at apple.com
Wed Dec 22 11:41:54 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 1c5ba2875becf7853c105e24e09233c465df0f9c
Author: barraclough at apple.com <barraclough at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Aug 4 03:05:59 2010 +0000

    Fix for https://bugs.webkit.org/show_bug.cgi?id=43314.  The prior code
    was using the wrong "length" value to move array contents when adding
    space to the beginning of an array for an unshift() or similar
    operation.  Instead of using m_vectorLength, the length of the
    allocated JSValue array, the code was using m_length, the declared
    length of the array.  These two values do not need to match.
    
    Patch by Michael Saboff <msaboff at apple.com> on 2010-08-03
    Reviewed by Gavin Barraclough.
    
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * runtime/JSArray.cpp:
    (JSC::JSArray::increaseVectorPrefixLength):
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64620 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 9556151..cda77fa 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-08-03  Michael Saboff  <msaboff at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=43314.  The prior code
+        was using the wrong "length" value to move array contents when adding
+        space to the beginning of an array for an unshift() or similar
+        operation.  Instead of using m_vectorLength, the length of the
+        allocated JSValue array, the code was using m_length, the declared
+        length of the array.  These two values do not need to match.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::increaseVectorPrefixLength):
+
 2010-08-03  Chao-ying Fu  <fu at mips.com>
 
         Reviewed by Gavin Barraclough.
diff --git a/JavaScriptCore/runtime/JSArray.cpp b/JavaScriptCore/runtime/JSArray.cpp
index ffae5ca..acbf594 100644
--- a/JavaScriptCore/runtime/JSArray.cpp
+++ b/JavaScriptCore/runtime/JSArray.cpp
@@ -631,7 +631,7 @@ bool JSArray::increaseVectorPrefixLength(unsigned newLength)
     newStorage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(newBaseStorage) + m_indexBias * sizeof(JSValue));
 
     memcpy(newStorage, storage, storageSize(0));
-    memcpy(&newStorage->m_vector[newLength - m_vectorLength], &storage->m_vector[0], storage->m_length * sizeof(JSValue));
+    memcpy(&newStorage->m_vector[newLength - m_vectorLength], &storage->m_vector[0], vectorLength * sizeof(JSValue));
     
     newStorage->m_allocBase = newBaseStorage;
     m_vectorLength = newLength;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list