JavaScriptCore-1097.13.tar.gz

diff --git a/runtime/ArrayPrototype.cpp b/runtime/ArrayPrototype.cpp
index 62f845d34ff1fcd8ee658501cec5447070d90930..4b8561de39d92f8132d67c67c3e1cf9f8d95d78a 100644 (file)
--- a/runtime/ArrayPrototype.cpp
+++ b/runtime/ArrayPrototype.cpp
@@ -235,7 +235,7 @@ static inline void unshift(ExecState* exec, JSObject* thisObj, unsigned header,
 
     if (!header && isJSArray(thisObj)) {
         JSArray* array = asArray(thisObj);
-        if (array->length() == length && array->unshiftCount(exec, count))
+        if (array->length() == length && asArray(thisObj)->unshiftCount(exec, count))
             return;
     }
 

diff --git a/runtime/JSArray.cpp b/runtime/JSArray.cpp
index adcb8fc33c54ecf6387e211caa8186a52dc34a18..00e009e1333a27cabf5e45fcb22745343d4391aa 100644 (file)
--- a/runtime/JSArray.cpp
+++ b/runtime/JSArray.cpp
@@ -1310,6 +1310,7 @@ bool JSArray::shiftCount(ExecState*, unsigned count)
     ArrayStorage* storage = m_storage;
     
     unsigned oldLength = storage->m_length;
+    ASSERT(count <= oldLength);
     
     // If the array contains holes or is otherwise in an abnormal state,
     // use the generic algorithm in ArrayPrototype.
@@ -1349,6 +1350,8 @@ bool JSArray::unshiftCount(ExecState* exec, unsigned count)
     if (length != storage->m_numValuesInVector || inSparseMode())
         return false;
 
+    ASSERT(count <= length);
+
     if (m_indexBias >= count) {
         m_indexBias -= count;
         char* newBaseStorage = reinterpret_cast<char*>(storage) - count * sizeof(WriteBarrier<Unknown>);