From a253471d7f8e4d91bf6ebabab00155c3b387d3d0 Mon Sep 17 00:00:00 2001 From: Apple Date: Mon, 28 Jan 2013 16:48:29 +0000 Subject: [PATCH] JavaScriptCore-1097.13.tar.gz --- runtime/ArrayPrototype.cpp | 2 +- runtime/JSArray.cpp | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/runtime/ArrayPrototype.cpp b/runtime/ArrayPrototype.cpp index 62f845d..4b8561d 100644 --- a/runtime/ArrayPrototype.cpp +++ b/runtime/ArrayPrototype.cpp @@ -235,7 +235,7 @@ static inline void unshift(ExecState* exec, JSObject* thisObj, unsigned header, if (!header && isJSArray(thisObj)) { JSArray* array = asArray(thisObj); - if (array->length() == length && array->unshiftCount(exec, count)) + if (array->length() == length && asArray(thisObj)->unshiftCount(exec, count)) return; } diff --git a/runtime/JSArray.cpp b/runtime/JSArray.cpp index adcb8fc..00e009e 100644 --- a/runtime/JSArray.cpp +++ b/runtime/JSArray.cpp @@ -1310,6 +1310,7 @@ bool JSArray::shiftCount(ExecState*, unsigned count) ArrayStorage* storage = m_storage; unsigned oldLength = storage->m_length; + ASSERT(count <= oldLength); // If the array contains holes or is otherwise in an abnormal state, // use the generic algorithm in ArrayPrototype. @@ -1349,6 +1350,8 @@ bool JSArray::unshiftCount(ExecState* exec, unsigned count) if (length != storage->m_numValuesInVector || inSparseMode()) return false; + ASSERT(count <= length); + if (m_indexBias >= count) { m_indexBias -= count; char* newBaseStorage = reinterpret_cast(storage) - count * sizeof(WriteBarrier); -- 2.45.2