Ignore:
Timestamp:
Jun 6, 2017, 5:28:47 PM (8 years ago)
Author:
[email protected]
Message:

Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=173035
<rdar://problem/32554593>

Reviewed by Geoffrey Garen and Filip Pizlo.

JSTests:

  • stress/regress-173035.js: Added.

Source/JavaScriptCore:

Also added and fixed up some assertions.

  • runtime/ArrayConventions.h:
  • runtime/JSArray.cpp:

(JSC::JSArray::setLength):

  • runtime/JSObject.cpp:

(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):

  • runtime/JSObject.h:

(JSC::JSObject::ensureLength):

  • runtime/RegExpObject.cpp:

(JSC::collectMatches):

  • runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncSplitFast):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSArray.cpp

    r217108 r217869  
    570570        if (newLength == butterfly->publicLength())
    571571            return true;
    572         if (newLength >= MAX_ARRAY_INDEX // This case ensures that we can do fast push.
     572        if (newLength > MAX_STORAGE_VECTOR_LENGTH // This check ensures that we can do fast push.
    573573            || (newLength >= MIN_SPARSE_ARRAY_INDEX
    574574                && !isDenseEnoughForVector(newLength, countElements()))) {
Note: See TracChangeset for help on using the changeset viewer.