diff options
author | Thiago Macieira <thiago.macieira@intel.com> | 2014-07-02 15:50:53 -0700 |
---|---|---|
committer | Thiago Macieira <thiago.macieira@intel.com> | 2014-07-03 03:56:10 +0200 |
commit | 11ca34818ad9a982f653cfd727f1b7d677efa9a9 (patch) | |
tree | f7c67454b1665f60ab59527b581c6f2528ae8f9e /src | |
parent | 71f6dee8791c95fd862ca3651d7f4b7d6b9f440e (diff) | |
download | qtscript-11ca34818ad9a982f653cfd727f1b7d677efa9a9.tar.gz |
In the first iteration of the loop, span->objects is not null, but
becomes null and therefore the entry is removed from the list. When the
list is empty, the list header (nonempty_) has next == prev == self and
objects is null. So in the second iteration, DLL_IsEmpty should return
true.
Analysis of the assembly output indicates that the function DLL_IsEmpty
(DLL = "doubly linked list") was hoisted out of the loop and its
condition was never checked again.
Affects: 14.0.3 on Linux, 15 on OS X (EDG and Clang) and Linux
Does not affect: 14.0.3 on Windows
Intel issue ID: 6000056746
Change-Id: I4439f441d5206a39391b9181baf42160d37bd2f1
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp index d95f078..14b7d76 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/FastMalloc.cpp @@ -2635,8 +2635,11 @@ void* TCMalloc_Central_FreeList::FetchFromSpansSafe() { } void* TCMalloc_Central_FreeList::FetchFromSpans() { - if (DLL_IsEmpty(&nonempty_)) return NULL; +// Intel compiler bug; issue id 6000056746 +// if (DLL_IsEmpty(&nonempty_)) return NULL; Span* span = nonempty_.next; + if (span == &nonempty_) + return NULL; ASSERT(span->objects != NULL); ASSERT_SPAN_COMMITTED(span); |