Title: [215768] trunk
- Revision
- 215768
- Author
- mark....@apple.com
- Date
- 2017-04-25 16:45:45 -0700 (Tue, 25 Apr 2017)
Log Message
Array.prototype.slice() should ensure that end >= begin.
https://bugs.webkit.org/show_bug.cgi?id=170989
<rdar://problem/31705652>
Reviewed by Saam Barati.
JSTests:
* stress/regress-170989.patch: Added.
Source/_javascript_Core:
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSlice):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (215767 => 215768)
--- trunk/JSTests/ChangeLog 2017-04-25 22:23:56 UTC (rev 215767)
+++ trunk/JSTests/ChangeLog 2017-04-25 23:45:45 UTC (rev 215768)
@@ -1,5 +1,15 @@
2017-04-25 Mark Lam <mark....@apple.com>
+ Array.prototype.slice() should ensure that end >= begin.
+ https://bugs.webkit.org/show_bug.cgi?id=170989
+ <rdar://problem/31705652>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-170989.patch: Added.
+
+2017-04-25 Mark Lam <mark....@apple.com>
+
Local CSE wrongly CSEs array accesses with different result types.
https://bugs.webkit.org/show_bug.cgi?id=170990
<rdar://problem/31705945>
Added: trunk/JSTests/stress/regress-170989.patch (0 => 215768)
--- trunk/JSTests/stress/regress-170989.patch (rev 0)
+++ trunk/JSTests/stress/regress-170989.patch 2017-04-25 23:45:45 UTC (rev 215768)
@@ -0,0 +1,7 @@
+class C extends Array {}
+var c = new C();
+c.push(2,4,6);
+var result = c.slice(9,2);
+if (result.length)
+ throw ("FAILED: expected 0, actual " + result.length);
+
Modified: trunk/Source/_javascript_Core/ChangeLog (215767 => 215768)
--- trunk/Source/_javascript_Core/ChangeLog 2017-04-25 22:23:56 UTC (rev 215767)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-04-25 23:45:45 UTC (rev 215768)
@@ -1,3 +1,14 @@
+2017-04-25 Mark Lam <mark....@apple.com>
+
+ Array.prototype.slice() should ensure that end >= begin.
+ https://bugs.webkit.org/show_bug.cgi?id=170989
+ <rdar://problem/31705652>
+
+ Reviewed by Saam Barati.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSlice):
+
2017-04-25 Don Olmstead <don.olmst...@am.sony.com>
[Win] Use Clang's __has_declspec_attribute for export macros
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (215767 => 215768)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-04-25 22:23:56 UTC (rev 215767)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2017-04-25 23:45:45 UTC (rev 215768)
@@ -931,6 +931,8 @@
RETURN_IF_EXCEPTION(scope, { });
unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);
RETURN_IF_EXCEPTION(scope, { });
+ if (end < begin)
+ end = begin;
std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, thisObj, end - begin);
// We can only get an exception if we call some user function.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
