JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last...
authormhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Sep 2013 22:41:00 +0000 (22:41 +0000)
committermhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 9 Sep 2013 22:41:00 +0000 (22:41 +0000)
commit8d9ce6ba2363e148677ff923eab9fa555e1c61b2
tree2109976831b8e8941c22326451dffa2b581faf51
parent1cc4a532905829d8bbb42c2bad1c69ecce63f12b
JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector
https://bugs.webkit.org/show_bug.cgi?id=120389

Reviewed by Michael Saboff.

Went through and cleaned up shiftCountWithArrayStorage. Gave meaningful variable names
and commented the confusing parts. This led to realizing how to fix this bug, which has
been done. The issue was that we were modifying the vector length unconditionally, even
when we weren't logically changing the length of the vector. Instead, we should only modify
the vector length when we modify the index bias.

* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@155395 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/Heap.cpp
Source/JavaScriptCore/runtime/JSArray.cpp