The new array with spread operation needs to check for length overflows.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 16 Mar 2017 21:53:33 +0000 (21:53 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 16 Mar 2017 21:53:33 +0000 (21:53 +0000)
commitbeb0a95bb0a43d1067b50c654ee5c8ffd8096387
tree1220b9de934ccc86707fa9996b723d1d36ff5f75
parent5de48361dde81995ae8e226291ecae5e0b6b67c6
The new array with spread operation needs to check for length overflows.
https://bugs.webkit.org/show_bug.cgi?id=169780
<rdar://problem/31072182>

Reviewed by Filip Pizlo.

* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* llint/LLIntSlowPaths.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSGlobalObject.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@214071 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/ftl/FTLOperations.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.cpp