Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 May 2016 21:42:44 +0000 (21:42 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 May 2016 21:42:44 +0000 (21:42 +0000)
commitbd824efac6aef867ab18af7ec79ccbd4b3722a27
tree969085c8380b36652d7b06393a1e2caa4835c89d
parentabf66d9461f6483181295a986f469cb83e836753
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
https://bugs.webkit.org/show_bug.cgi?id=157322

Reviewed by Filip Pizlo.

Check to see if the source array has changed length before calling fastSlice().
If it has, take the slow path.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSplice):
* tests/stress/regress-157322.js: New test.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200387 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/tests/stress/regress-157322.js [new file with mode: 0644]