Changeset 154633 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.cpp

Timestamp:

Aug 26, 2013, 1:29:06 PM (12 years ago)

Author:

[email protected]

Message:

JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
​https://bugs.webkit.org/show_bug.cgi?id=120278

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

• runtime/JSObject.cpp:

(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

LayoutTests:

• fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
• fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
• fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2058 +2058 @@
                 !attributes
                 && (isDenseEnoughForVector(i, storage->m_numValuesInVector))
-                && increaseVectorLength(vm, i + 1)
-                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))) {
+                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))
+                && increaseVectorLength(vm, i + 1)) {
             // success! - reread m_storage since it has likely been reallocated, and store to the vector.
             storage = arrayStorage();