git://git.webkit.org / WebKit-https.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 61154d4) | patch
JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Sep 2018 23:51:05 +0000 (23:51 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Sep 2018 23:51:05 +0000 (23:51 +0000)
commit48544ba528e4ad5ce15fb6ffba8072a62b8132a4
tree298727c6588566d21e21b954337297b42b047b38tree | snapshot
parent61154d42b45b1576bbf148d19b72361700a52056commit | diff
JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
https://bugs.webkit.org/show_bug.cgi?id=189124
<rdar://problem/43863605>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-189124.js: Added.

Source/JavaScriptCore:

It is assumed that the Structure for the m_cachedStructureID will remain alive
while the m_cachedStructureID is in use.  This prevents the structureID from being
re-used for a different Structure.

* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog diff | blob | history
JSTests/stress/regress-189124.js [new file with mode: 0644] blob
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp diff | blob | history
Mirror of the WebKit open source project from svn.webkit.org.