summaryrefslogtreecommitdiffstats
path: root/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
diff options
context:
space:
mode:
authorSimon Hausmann <simon.hausmann@nokia.com>2010-07-29 20:09:00 (GMT)
committerSimon Hausmann <simon.hausmann@nokia.com>2010-07-29 20:09:00 (GMT)
commit73595a315989581e2f59b28af5d150d39ea6b8ff (patch)
treece06fcf2f8e773bcdb1b1394e4f1ab0e15831b33 /src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
parent12e5d8897fbd60def1dd38608c1cd3f0d1d4317b (diff)
downloadQt-73595a315989581e2f59b28af5d150d39ea6b8ff.zip
Qt-73595a315989581e2f59b28af5d150d39ea6b8ff.tar.gz
Qt-73595a315989581e2f59b28af5d150d39ea6b8ff.tar.bz2
Updated WebKit to e6e692bb056670e2781dd0bc473a60757ae53992
Backported various crash fixes
Diffstat (limited to 'src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp')
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp b/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
index d3ef44c..ae9e038 100644
--- a/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
+++ b/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
@@ -948,10 +948,10 @@ void JSArray::fillArgList(ExecState* exec, MarkedArgumentBuffer& args)
void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize)
{
- ASSERT(m_storage->m_length == maxSize);
+ ASSERT(m_storage->m_length >= maxSize);
UNUSED_PARAM(maxSize);
JSValue* vector = m_storage->m_vector;
- unsigned vectorEnd = min(m_storage->m_length, m_vectorLength);
+ unsigned vectorEnd = min(maxSize, m_vectorLength);
unsigned i = 0;
for (; i < vectorEnd; ++i) {
JSValue& v = vector[i];
@@ -960,7 +960,7 @@ void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSiz
buffer[i] = v;
}
- for (; i < m_storage->m_length; ++i)
+ for (; i < maxSize; ++i)
buffer[i] = get(exec, i);
}
generated by cgit v0.12 at 2025-08-08 07:07:43 (GMT)