JSArray::canFastCopy() should fail if the source and destination arrays are the same.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Sep 2017 04:19:13 +0000 (04:19 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Sep 2017 04:19:13 +0000 (04:19 +0000)
commit1c751f9e93dcdfc1694f03bdb41384f5e57c1af9
tree4c9c616ad14b9822673cd977cce12a9fc0ef4d8a
parent80822ee496e11399f5259e8ff3586e1b407020ed
JSArray::canFastCopy() should fail if the source and destination arrays are the same.
https://bugs.webkit.org/show_bug.cgi?id=177584
<rdar://problem/34463903>

Reviewed by Saam Barati.

JSTests:

* stress/regress-177584.js: Added.
(assertEqual):
(Array.prototype.Symbol.species):

Source/JavaScriptCore:

If the source and destination arrays are the same, we may be copying overlapping
regions.  Hence, we need to take the slow path.

* runtime/JSArrayInlines.h:
(JSC::JSArray::canFastCopy):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@222598 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-177584.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArrayInlines.h