Commit 200865d6 authored by mhahnenberg@apple.com's avatar mhahnenberg@apple.com

JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the...

JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
https://bugs.webkit.org/show_bug.cgi?id=120278

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

LayoutTests: 

* fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
* fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
* fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 2a2ee96e
2013-08-26 Mark Hahnenberg <mhahnenberg@apple.com>
JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
https://bugs.webkit.org/show_bug.cgi?id=120278
Reviewed by Geoffrey Garen.
* fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
* fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
* fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.
2013-08-24 Sam Weinig <sam@webkit.org>
Add support for Promises
Make sure we don't crash when doing a put-direct-index beyond the vector length of a normal JSObject.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS o[0] is "foo"
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE html>
<html>
<head>
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<script src="script-tests/put-direct-index-beyond-vector-length-resize.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
description(
"Make sure we don't crash when doing a put-direct-index beyond the vector length of a normal JSObject."
);
var o = {};
for (var i = 0; i < 100005; i += 3)
Object.defineProperty(o, i, {enumerable:true, writable:true, configurable:true, value:"foo"});
shouldBe("o[0]", "\"foo\"");
2013-08-25 Mark Hahnenberg <mhahnenberg@apple.com>
JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
https://bugs.webkit.org/show_bug.cgi?id=120278
Reviewed by Geoffrey Garen.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2013-08-26 Filip Pizlo <fpizlo@apple.com>
Fix indention of Executable.h.
......
......@@ -2057,8 +2057,8 @@ bool JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState* exec,
if (LIKELY(
!attributes
&& (isDenseEnoughForVector(i, storage->m_numValuesInVector))
&& increaseVectorLength(vm, i + 1)
&& !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))) {
&& !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))
&& increaseVectorLength(vm, i + 1)) {
// success! - reread m_storage since it has likely been reallocated, and store to the vector.
storage = arrayStorage();
storage->m_vector[i].set(vm, this, value);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment