From 33b26980cb24288b5a9f2590ccf32a949281bb79 Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@digia.com>
Date: Wed, 26 Sep 2012 10:42:44 +0200
Subject: Imported WebKit commit c596dd7f03007fa7ed896b928106497e8784b3b5
 (http://svn.webkit.org/repository/webkit/trunk@129610)

New snapshot that removes QtQuick1 support (to be moved into QtQuick1 module)
---
 Source/JavaScriptCore/runtime/JSArray.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Source/JavaScriptCore/runtime/JSArray.cpp')

diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
index 609781c65..8398ae77d 100644
--- a/Source/JavaScriptCore/runtime/JSArray.cpp
+++ b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -499,6 +499,7 @@ bool JSArray::shiftCount(ExecState* exec, unsigned count)
     ArrayStorage* storage = ensureArrayStorage(exec->globalData());
     
     unsigned oldLength = storage->length();
+    ASSERT(count <= oldLength);
     
     // If the array contains holes or is otherwise in an abnormal state,
     // use the generic algorithm in ArrayPrototype.
-- 
cgit v1.2.1