+2016-02-11 Filip Pizlo <fpizlo@apple.com>
+
+ Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized()
+ https://bugs.webkit.org/show_bug.cgi?id=154126
+
+ Reviewed by Saam Barati.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSplice):
+
2016-02-11 Sukolsak Sakshuwong <sukolsak@gmail.com>
[INTL] Implement Intl.NumberFormat.prototype.resolvedOptions ()
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2003, 2007, 2008, 2009, 2011, 2013, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2007-2009, 2011, 2013, 2015-2016 Apple Inc. All rights reserved.
* Copyright (C) 2003 Peter Kelly (pmk@post.com)
* Copyright (C) 2006 Alexey Proskuryakov (ap@nypop.com)
*
result = asArray(thisObj)->fastSlice(*exec, begin, deleteCount);
if (!result) {
- if (speciesResult.first == SpeciesConstructResult::CreatedObject)
+ if (speciesResult.first == SpeciesConstructResult::CreatedObject) {
result = speciesResult.second;
- else {
+
+ for (unsigned k = 0; k < deleteCount; ++k) {
+ JSValue v = getProperty(exec, thisObj, k + begin);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
+ result->putByIndexInline(exec, k, v, true);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
+ }
+ } else {
result = JSArray::tryCreateUninitialized(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), deleteCount);
if (!result)
return JSValue::encode(throwOutOfMemoryError(exec));
- }
-
- for (unsigned k = 0; k < deleteCount; ++k) {
- JSValue v = getProperty(exec, thisObj, k + begin);
- if (exec->hadException())
- return JSValue::encode(jsUndefined());
- result->initializeIndex(vm, k, v);
+
+ for (unsigned k = 0; k < deleteCount; ++k) {
+ JSValue v = getProperty(exec, thisObj, k + begin);
+ if (exec->hadException())
+ return JSValue::encode(jsUndefined());
+ result->initializeIndex(vm, k, v);
+ }
}
}
git://git.webkit.org / WebKit-https.git / commitdiff