JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length...
authormhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Aug 2013 20:29:06 +0000 (20:29 +0000)
committermhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Aug 2013 20:29:06 +0000 (20:29 +0000)
commit60636327327f44eaa54f5ea106ffd40b2a34326a
tree597f21b405ebac428588072367eb1760d4c7676d
parentf72399d3ef15193a63a553c149e5df946708b47a
JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
https://bugs.webkit.org/show_bug.cgi?id=120278

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

LayoutTests:

* fast/js/put-direct-index-beyond-vector-length-resize-expected.txt: Added.
* fast/js/put-direct-index-beyond-vector-length-resize.html: Added.
* fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/put-direct-index-beyond-vector-length-resize.html [new file with mode: 0644]
LayoutTests/fast/js/script-tests/put-direct-index-beyond-vector-length-resize.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp