WebKit GIT trees - WebKit-https.git/commit

Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
https://bugs.webkit.org/show_bug.cgi?id=154175
rdar://problem/24291497

Reviewed by Geoffrey Garen.

* runtime/JSObject.cpp:
(JSC::JSObject::defineOwnIndexedProperty): Fix the bug.
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
(JSC::SparseArrayValueMap::putDirect):
* tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196490 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 12 Feb 2016 19:50:49 +0000 (19:50 +0000)
committer	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 12 Feb 2016 19:50:49 +0000 (19:50 +0000)
commit	893926707890b3cbc2b6033ecbfb0e51d32b3597
tree	b4bc1d24367bc2372de1a831fa50a3dce48dc437	tree \| snapshot
parent	09be1e3a6d0b1ed61fb2171b520aa36d966c3613	commit \| diff

Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/runtime/JSObject.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp		diff \| blob \| history
Source/JavaScriptCore/tests/stress/sparse-define-empty-descriptor.js	[new file with mode: 0644]	blob