Array Storage operations sometimes did not update the indexing mask correctly.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Jan 2018 20:58:31 +0000 (20:58 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 4 Jan 2018 20:58:31 +0000 (20:58 +0000)
commit71c444bd446bc5e7e8fee9782dcef7b9fa07784f
treef43d0fe732b675684855ed4ae34e11d3fcd3f01f
parent8af2325d845bbb34b89e0f2579d44a1b92275579
Array Storage operations sometimes did not update the indexing mask correctly.
https://bugs.webkit.org/show_bug.cgi?id=181301

Reviewed by Mark Lam.

I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303

* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226416 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSObject.cpp