From 8a808a34c08d4e0ca109606dd8751b0d1fe53afd Mon Sep 17 00:00:00 2001
From: Mark Hahnenberg <mhahnenberg@apple.com>
Date: Thu, 6 Mar 2014 15:21:56 +0100
Subject: JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a
 check on the length of the ArrayStorage after possible reallocing it

https://bugs.webkit.org/show_bug.cgi?id=120278

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

Change-Id: I034d6950683304d08a4e076d58fb1b999ade444b
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 Source/JavaScriptCore/runtime/JSObject.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Source/JavaScriptCore/runtime')

diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index 47e424097..01dc96333 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -2078,8 +2078,8 @@ bool JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState* exec,
         if (LIKELY(
                 !attributes
                 && (isDenseEnoughForVector(i, storage->m_numValuesInVector))
-                && increaseVectorLength(vm, i + 1)
-                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))) {
+                && !indexIsSufficientlyBeyondLengthForSparseMap(i, storage->vectorLength()))
+                && increaseVectorLength(vm, i + 1)) {
             // success! - reread m_storage since it has likely been reallocated, and store to the vector.
             storage = arrayStorage();
             storage->m_vector[i].set(vm, this, value);
-- 
cgit v1.2.1