Array.prototype.slice() should ensure that end >= begin.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 23:45:45 +0000 (23:45 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 23:45:45 +0000 (23:45 +0000)
commite8ad1628d17ca38305805ec5208792eb2715c513
tree65ced087b578257a0fdbca543f6cfd8943933765
parentad09471987bdf4700872658344c7ad6af357f446
Array.prototype.slice() should ensure that end >= begin.
https://bugs.webkit.org/show_bug.cgi?id=170989
<rdar://problem/31705652>

Reviewed by Saam Barati.

JSTests:

* stress/regress-170989.patch: Added.

Source/JavaScriptCore:

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSlice):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215768 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-170989.patch [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp