Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Jun 2017 00:28:47 +0000 (00:28 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Jun 2017 00:28:47 +0000 (00:28 +0000)
commita5e40e53225594c3f8212825e6b377fcd3517438
tree5a6698c440faddb7616fcbf1cec6b6a54edf4355
parent193e050f0e23bb8d6e77e010f9420fdd7c048cbb
Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=173035
<rdar://problem/32554593>

Reviewed by Geoffrey Garen and Filip Pizlo.

JSTests:

* stress/regress-173035.js: Added.

Source/JavaScriptCore:

Also added and fixed up some assertions.

* runtime/ArrayConventions.h:
* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
* runtime/JSObject.h:
(JSC::JSObject::ensureLength):
* runtime/RegExpObject.cpp:
(JSC::collectMatches):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncSplitFast):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@217869 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-173035.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayConventions.h
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/RegExpObject.cpp
Source/JavaScriptCore/runtime/RegExpPrototype.cpp