unshift should zero unused property storage
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 23 Jun 2018 05:27:44 +0000 (05:27 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 23 Jun 2018 05:27:44 +0000 (05:27 +0000)
commited82016b7b44274ae6db400b3ee620342488d6c0
treeceaa299a72f7f2c908cd4f697c994bf0cabb790d
parent5cb2ad464607851190e0b4192775ceb216b36c38
unshift should zero unused property storage
https://bugs.webkit.org/show_bug.cgi?id=186960

Reviewed by Saam Barati.

JSTests:

* stress/array-unshift-zero-property-storage.js: Added.
(run):
(test):

Source/JavaScriptCore:

Also, this patch adds the zeroed unused property storage assertion
to one more place it was missing.

* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233121 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/array-unshift-zero-property-storage.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSObjectInlines.h