Title: [214522] branches/safari-603-branch/Source/_javascript_Core
- Revision
- 214522
- Author
- jmarc...@apple.com
- Date
- 2017-03-28 20:28:28 -0700 (Tue, 28 Mar 2017)
Log Message
Merge r214374. rdar://problem/31249971
Modified Paths
Diff
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (214521 => 214522)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-03-29 03:28:26 UTC (rev 214521)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-03-29 03:28:28 UTC (rev 214522)
@@ -1,5 +1,22 @@
2017-03-28 Jason Marcell <jmarc...@apple.com>
+ Merge r214374. rdar://problem/31249971
+
+ 2017-03-24 Mark Lam <mark....@apple.com>
+
+ Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
+ https://bugs.webkit.org/show_bug.cgi?id=170064
+ <rdar://problem/31246098>
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoPrivateFuncConcatMemcpy):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::fastSlice):
+
+2017-03-28 Jason Marcell <jmarc...@apple.com>
+
Merge r212310. rdar://problem/30922106
2017-02-14 Mark Lam <mark....@apple.com>
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (214521 => 214522)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-03-29 03:28:26 UTC (rev 214521)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-03-29 03:28:28 UTC (rev 214522)
@@ -1303,7 +1303,12 @@
return JSValue::encode(result);
}
- Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
+ JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
+ Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(type);
+ if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType())))
+ return JSValue::encode(jsNull());
+
+ ASSERT(!lexicalGlobalObject->isHavingABadTime());
JSArray* result = JSArray::tryCreateUninitialized(vm, resultStructure, resultSize);
if (UNLIKELY(!result)) {
throwOutOfMemoryError(exec, scope);
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSArray.cpp (214521 => 214522)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSArray.cpp 2017-03-29 03:28:26 UTC (rev 214521)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSArray.cpp 2017-03-29 03:28:28 UTC (rev 214522)
@@ -855,7 +855,12 @@
if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
return nullptr;
- Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+ JSGlobalObject* lexicalGlobalObject = exec.lexicalGlobalObject();
+ Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(arrayType);
+ if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType())))
+ return nullptr;
+
+ ASSERT(!lexicalGlobalObject->isHavingABadTime());
JSArray* resultArray = JSArray::tryCreateUninitialized(vm, resultStructure, count);
if (!resultArray)
return nullptr;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
