fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing https://bugs.webkit.org/show_bug.cgi?id=118911 Reviewed by Geoffrey Garen. We could also have a separate method like "willNotCrash(offset)", but that's not what isValidOffset() is intended to mean. * runtime/Structure.h: (JSC::Structure::isValidOffset): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153285 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: bee4d27252671a3702fae4fec17998628e2c0e43 [log] [tgz]
author: oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Jul 25 04:05:08 2013 +0000
committer: oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Jul 25 04:05:08 2013 +0000
tree: 00215474749aef7e7316da00cfe4b47bce85e6dd
parent: 0402d9510e85826638141218810da782cac3606d [diff] [blame]
diff --git a/Source/JavaScriptCore/runtime/Structure.h b/Source/JavaScriptCore/runtime/Structure.h
index 5a67c2a..165ca27 100644
--- a/Source/JavaScriptCore/runtime/Structure.h
+++ b/Source/JavaScriptCore/runtime/Structure.h

@@ -223,8 +223,8 @@
     bool isValidOffset(PropertyOffset offset) const
     {
         return JSC::isValidOffset(offset)
-            && (offset < m_inlineCapacity
-                || (offset >= firstOutOfLineOffset && offset <= m_offset));
+            && offset <= m_offset
+            && (offset < m_inlineCapacity || offset >= firstOutOfLineOffset);
     }
 
     bool masqueradesAsUndefined(JSGlobalObject* lexicalGlobalObject);
commit	bee4d27252671a3702fae4fec17998628e2c0e43	[log] [tgz]
author	oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Thu Jul 25 04:05:08 2013 +0000
committer	oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Thu Jul 25 04:05:08 2013 +0000
tree	00215474749aef7e7316da00cfe4b47bce85e6dd
parent	0402d9510e85826638141218810da782cac3606d [diff] [blame]