Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Mar 2017 04:53:37 +0000 (04:53 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 24 Mar 2017 04:53:37 +0000 (04:53 +0000)
commit5ff9c8c034b0de50c20ee3a0d8ef6bf505411fd3
treeb8e8024f403632470d56a91463c423fed2019caa
parent4ba9548ad375764f6faa01277930819092f61142
Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
https://bugs.webkit.org/show_bug.cgi?id=170025
<rdar://problem/31228679>

Reviewed by Saam Barati.

* runtime/ArrayPrototype.cpp:
(JSC::copySplicedArrayElements):
(JSC::arrayProtoFuncSplice):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@214334 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp