git://git.webkit.org / WebKit-https.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 979002a) | patch
JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 13 Feb 2016 00:07:04 +0000 (00:07 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 13 Feb 2016 00:07:04 +0000 (00:07 +0000)
commit7dbe59412aa20a2955cdde18ef6640d6401253fa
treebdc34111f2dfdea3a86e5d5c9e66957f09ea40cctree | snapshot
parent979002afed8a53ee69a8e92a8bbef32db9d4e668commit | diff
JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
https://bugs.webkit.org/show_bug.cgi?id=154201
rdar://problem/24291387

Reviewed by Saam Barati.

I decided against adding a test for this, because it runs for a very long time.

* runtime/JSObject.cpp:
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
    hit the above bug, then it would probably manifest as a spin or as swapping.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196524 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/runtime/JSObject.cpp diff | blob | history
Source/JavaScriptCore/runtime/StringPrototype.cpp diff | blob | history
Mirror of the WebKit open source project from svn.webkit.org.