WebKit GIT trees - WebKit-https.git/commit

Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=173035
<rdar://problem/32554593>

Reviewed by Geoffrey Garen and Filip Pizlo.

JSTests:

* stress/regress-173035.js: Added.

Source/JavaScriptCore:

Also added and fixed up some assertions.

* runtime/ArrayConventions.h:
* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
* runtime/JSObject.h:
(JSC::JSObject::ensureLength):
* runtime/RegExpObject.cpp:
(JSC::collectMatches):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncSplitFast):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@217869 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 7 Jun 2017 00:28:47 +0000 (00:28 +0000)
committer	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 7 Jun 2017 00:28:47 +0000 (00:28 +0000)
commit	a5e40e53225594c3f8212825e6b377fcd3517438
tree	5a6698c440faddb7616fcbf1cec6b6a54edf4355	tree \| snapshot
parent	193e050f0e23bb8d6e77e010f9420fdd7c048cbb	commit \| diff

JSTests/ChangeLog		diff \| blob \| history
JSTests/stress/regress-173035.js	[new file with mode: 0644]	blob
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/runtime/ArrayConventions.h		diff \| blob \| history
Source/JavaScriptCore/runtime/JSArray.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/JSObject.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/JSObject.h		diff \| blob \| history
Source/JavaScriptCore/runtime/RegExpObject.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/RegExpPrototype.cpp		diff \| blob \| history