summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThiago Macieira <thiago.macieira@nokia.com>2009-01-29 15:07:27 (GMT)
committerKent Hansen <khansen@trolltech.com>2009-09-04 10:40:59 (GMT)
commit228153b29c3e235fa5d40ff09f8403fa2e8f7226 (patch)
treea6339bba847a5b420c01b7427cae85055e5bb2c9
parent3944904b361b5a585a6e07bf17528d4739caed39 (diff)
downloadQt-228153b29c3e235fa5d40ff09f8403fa2e8f7226.zip
Qt-228153b29c3e235fa5d40ff09f8403fa2e8f7226.tar.gz
Qt-228153b29c3e235fa5d40ff09f8403fa2e8f7226.tar.bz2
Fix oversize-buffer support for aligning.
Since Vector initialises VectorBase with the value of inlineBuffer(), it does so before the m_inlineBuffer member has had a chance to initialise. This lead to dereferencing of uninitialised pointers and, as was expected, crashes.
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h11
1 files changed, 8 insertions, 3 deletions
diff --git a/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h b/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h
index e3cb718..11c20a9 100644
--- a/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h
+++ b/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h
@@ -67,10 +67,11 @@ namespace WTF {
template <size_t size, size_t> struct AlignedBuffer
{
AlignedBufferChar oversizebuffer[size + 64];
- AlignedBufferChar *buffer;
- inline AlignedBuffer() : buffer(oversizebuffer)
+ AlignedBufferChar *buffer()
{
- buffer += 64 - (reinterpret_cast<size_t>(buffer) & 0x3f);
+ AlignedBufferChar *ptr = oversizebuffer;
+ ptr += 64 - (reinterpret_cast<size_t>(ptr) & 0x3f);
+ return ptr;
}
};
#endif
@@ -440,7 +441,11 @@ namespace WTF {
using Base::m_capacity;
static const size_t m_inlineBufferSize = inlineCapacity * sizeof(T);
+ #ifdef WTF_ALIGNED
T* inlineBuffer() { return reinterpret_cast<T*>(m_inlineBuffer.buffer); }
+ #else
+ T* inlineBuffer() { return reinterpret_cast<T*>(m_inlineBuffer.buffer()); }
+ #endif
AlignedBuffer<m_inlineBufferSize, WTF_ALIGN_OF(T)> m_inlineBuffer;
};