WebKit GIT trees - WebKit-https.git/commit

[JSC] Array.prototype.reverse modifies JSImmutableButterfly
https://bugs.webkit.org/show_bug.cgi?id=188794

Reviewed by Saam Barati.

JSTests:

* stress/reverse-with-immutable-butterfly.js: Added.
(shouldBe):
(reverseInt):
(reverseDouble):
(reverseContiguous):

Source/JavaScriptCore:

While Array.prototype.reverse modifies the butterfly of the given Array,
it does not account JSImmutableButterfly case. So it accidentally modifies
the content of JSImmutableButterfly.
This patch converts CoW arrays to writable arrays before reversing.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
* runtime/JSObject.h:
(JSC::JSObject::ensureWritable):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235356 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	yusukesuzuki@slowstart.org <yusukesuzuki@slowstart.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Mon, 27 Aug 2018 08:31:43 +0000 (08:31 +0000)
committer	yusukesuzuki@slowstart.org <yusukesuzuki@slowstart.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Mon, 27 Aug 2018 08:31:43 +0000 (08:31 +0000)
commit	d208a754a7da42a0ca6c5656d4e71b66f37ecd80
tree	3cacdff8bc5c9a383bf23d4a2163a659f7b9accd	tree \| snapshot
parent	176eca6255a1199e37cc857817354f8712355042	commit \| diff

JSTests/ChangeLog		diff \| blob \| history
JSTests/stress/reverse-with-immutable-butterfly.js	[new file with mode: 0644]	blob
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/runtime/ArrayPrototype.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/JSArray.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/JSArrayInlines.h		diff \| blob \| history
Source/JavaScriptCore/runtime/JSObject.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/JSObject.h		diff \| blob \| history