-
ap@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=19294 <rdar://problem/5969062> A crash when iterating over a sparse array backwards. * kjs/array_instance.cpp: Turned sparseArrayCutoff into a macro, so that using max() on it doesn't cause a PIC branch. (KJS::ArrayInstance::increaseVectorLength): Added a comment about this function not preserving class invariants. (KJS::ArrayInstance::put): Update m_storage after reallocation. Move values that fit to the vector from the map in all code paths. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34204 268f45cc-cd09-0410-ab3c-d52691b4dbfcap@webkit.org authoredhttps://bugs.webkit.org/show_bug.cgi?id=19294 <rdar://problem/5969062> A crash when iterating over a sparse array backwards. * kjs/array_instance.cpp: Turned sparseArrayCutoff into a macro, so that using max() on it doesn't cause a PIC branch. (KJS::ArrayInstance::increaseVectorLength): Added a comment about this function not preserving class invariants. (KJS::ArrayInstance::put): Update m_storage after reallocation. Move values that fit to the vector from the map in all code paths. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34204 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Loading