Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: eba5b36f9461c779e6e3648ba809e2c02436f492
https://github.com/WebKit/WebKit/commit/eba5b36f9461c779e6e3648ba809e2c02436f492
Author: Marcus Plutowski <[email protected]>
Date: 2024-05-02 (Thu, 02 May 2024)
Changed paths:
M Source/JavaScriptCore/runtime/ObjectConstructorInlines.h
Log Message:
-----------
Check that objects have inline storage before trying to copy it
https://bugs.webkit.org/show_bug.cgi?id=273590
rdar://127227132
Reviewed by Yusuke Suzuki.
When copying objects via this code path, we copy over the inlineStorage
unconditionally. This is fine in release mode since when the
inlineStorage isn't present the backing memcpy is 0-width and therefore
does not affect memory, but in debug mode we hit an assert when trying
to get the value for source->inlineStorage.
* Source/JavaScriptCore/runtime/ObjectConstructorInlines.h:
(JSC::tryCreateObjectViaCloning):
Canonical link: https://commits.webkit.org/278270@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
