Changeset 233217 in webkit
- Timestamp:
- Jun 26, 2018 1:37:30 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/regress-187060.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r233167 r233217 1 2018-06-26 Mark Lam <mark.lam@apple.com> 2 3 ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). 4 https://bugs.webkit.org/show_bug.cgi?id=187060 5 <rdar://problem/41452767> 6 7 Reviewed by Keith Miller. 8 9 * stress/regress-187060.js: Added. 10 1 11 2018-06-25 Mark Lam <mark.lam@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r233213 r233217 1 2018-06-26 Mark Lam <mark.lam@apple.com> 2 3 ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow(). 4 https://bugs.webkit.org/show_bug.cgi?id=187060 5 <rdar://problem/41452767> 6 7 Reviewed by Keith Miller. 8 9 JSObject::ensureLengthSlow() may be called only because it needs to do a copy on 10 write conversion. Hence, we can return early after the conversion if the vector 11 length is already sufficient to cover the requested length. 12 13 * runtime/JSObject.cpp: 14 (JSC::JSObject::ensureLengthSlow): 15 1 16 2018-06-26 Commit Queue <commit-queue@webkit.org> 2 17 -
trunk/Source/JavaScriptCore/runtime/JSObject.cpp
r233122 r233217 3263 3263 bool JSObject::ensureLengthSlow(VM& vm, unsigned length) 3264 3264 { 3265 if (isCopyOnWrite(indexingMode())) 3265 if (isCopyOnWrite(indexingMode())) { 3266 3266 convertFromCopyOnWrite(vm); 3267 if (m_butterfly->vectorLength() >= length) 3268 return true; 3269 } 3267 3270 3268 3271 Butterfly* butterfly = this->butterfly();
Note: See TracChangeset
for help on using the changeset viewer.
