Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
authorrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 16:03:54 +0000 (16:03 +0000)
committerrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 16:03:54 +0000 (16:03 +0000)
commite2f82129f9dcab873044150deeebeb1d1abac96f
treee3e4e02649ee454cd151a2013b34af2ca058e63f
parent7e384ec2968250e6b5db20dcdc9b17752fbea79d
Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
https://bugs.webkit.org/show_bug.cgi?id=184772
<rdar://problem/39146327>

Reviewed by Filip Pizlo.

Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
This patch now makes sure that the check correctly detects if there is an integer overflow.

* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithAnyIndexingType):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231198 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp