Array.prototype.indexOf fast path needs to ensure the length is still valid after...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 24 Sep 2018 23:05:54 +0000 (23:05 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 24 Sep 2018 23:05:54 +0000 (23:05 +0000)
commit6f9d919d0379d7d3655266eaafc135d75d4a6736
tree6fb8ee434fdd56badffbef9044f7a39860523b10
parentda62128e079e55e8c2f1087399b6758d58c29678
Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
https://bugs.webkit.org/show_bug.cgi?id=189922
<rdar://problem/44651275>

Reviewed by Mark Lam.

JSTests:

* stress/array-indexof-fast-path-effects.js: Added.
* stress/array-indexof-cached-length.js: Added.

Source/JavaScriptCore:

The implementation was first getting the length to iterate up to,
then getting the starting index. However, getting the starting
index may perform effects. e.g, it could change the length of the
array. This changes it so we verify the length is still valid.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncIndexOf):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236437 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/array-indexof-cached-length.js [new file with mode: 0644]
JSTests/stress/array-indexof-fast-path-effects.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp