From 228153b29c3e235fa5d40ff09f8403fa2e8f7226 Mon Sep 17 00:00:00 2001 From: Thiago Macieira Date: Thu, 29 Jan 2009 16:07:27 +0100 Subject: Fix oversize-buffer support for aligning. Since Vector initialises VectorBase with the value of inlineBuffer(), it does so before the m_inlineBuffer member has had a chance to initialise. This lead to dereferencing of uninitialised pointers and, as was expected, crashes. --- src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h b/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h index e3cb718..11c20a9 100644 --- a/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h +++ b/src/3rdparty/webkit/JavaScriptCore/wtf/Vector.h @@ -67,10 +67,11 @@ namespace WTF { template struct AlignedBuffer { AlignedBufferChar oversizebuffer[size + 64]; - AlignedBufferChar *buffer; - inline AlignedBuffer() : buffer(oversizebuffer) + AlignedBufferChar *buffer() { - buffer += 64 - (reinterpret_cast(buffer) & 0x3f); + AlignedBufferChar *ptr = oversizebuffer; + ptr += 64 - (reinterpret_cast(ptr) & 0x3f); + return ptr; } }; #endif @@ -440,7 +441,11 @@ namespace WTF { using Base::m_capacity; static const size_t m_inlineBufferSize = inlineCapacity * sizeof(T); + #ifdef WTF_ALIGNED T* inlineBuffer() { return reinterpret_cast(m_inlineBuffer.buffer); } + #else + T* inlineBuffer() { return reinterpret_cast(m_inlineBuffer.buffer()); } + #endif AlignedBuffer m_inlineBuffer; }; -- cgit v0.12