ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Jun 2018 20:37:30 +0000 (20:37 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Jun 2018 20:37:30 +0000 (20:37 +0000)
commitb453a59f0cab9347a98fd58f5af1fe9ca7ac3096
tree750ff60e049aa7626ac2a65febf25db87a2f94ce
parentc2a1ee3d06181a9989f83e59aa9eb4a01d6254fc
ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
https://bugs.webkit.org/show_bug.cgi?id=187060
<rdar://problem/41452767>

Reviewed by Keith Miller.

JSTests:

* stress/regress-187060.js: Added.

Source/JavaScriptCore:

JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
write conversion.  Hence, we can return early after the conversion if the vector
length is already sufficient to cover the requested length.

* runtime/JSObject.cpp:
(JSC::JSObject::ensureLengthSlow):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233217 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-187060.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp