summaryrefslogtreecommitdiffstats
path: root/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp')
-rw-r--r--src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp b/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
index d3ef44c..ae9e038 100644
--- a/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
+++ b/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp
@@ -948,10 +948,10 @@ void JSArray::fillArgList(ExecState* exec, MarkedArgumentBuffer& args)
void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize)
{
- ASSERT(m_storage->m_length == maxSize);
+ ASSERT(m_storage->m_length >= maxSize);
UNUSED_PARAM(maxSize);
JSValue* vector = m_storage->m_vector;
- unsigned vectorEnd = min(m_storage->m_length, m_vectorLength);
+ unsigned vectorEnd = min(maxSize, m_vectorLength);
unsigned i = 0;
for (; i < vectorEnd; ++i) {
JSValue& v = vector[i];
@@ -960,7 +960,7 @@ void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSiz
buffer[i] = v;
}
- for (; i < m_storage->m_length; ++i)
+ for (; i < maxSize; ++i)
buffer[i] = get(exec, i);
}
generated by cgit v0.12 at 2024-07-16 12:39:04 (GMT)