Changeset 222598 in webkit for trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h

Timestamp:

Sep 27, 2017, 9:19:13 PM (8 years ago)

Author:

[email protected]

Message:

JSArray::canFastCopy() should fail if the source and destination arrays are the same.
​https://bugs.webkit.org/show_bug.cgi?id=177584
<rdar://problem/34463903>

Reviewed by Saam Barati.

JSTests:

• stress/regress-177584.js: Added.

(assertEqual):
(Array.prototype.Symbol.species):

Source/JavaScriptCore:

If the source and destination arrays are the same, we may be copying overlapping
regions. Hence, we need to take the slow path.

• runtime/JSArrayInlines.h:

(JSC::JSArray::canFastCopy):

File:

• trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h

@@ -59 +59 @@
 inline bool JSArray::canFastCopy(VM& vm, JSArray* otherArray)
 {
+    if (otherArray == this)
+        return false;
     if (hasAnyArrayStorage(indexingType()) || hasAnyArrayStorage(otherArray->indexingType()))
         return false;