commit 7efa84cff7c167101d853de06141b2f80112a3cc
author darin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Jun 24 08:14:14 2015 +0000
committer darin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Jun 24 08:14:14 2015 +0000
tree 43f2e5445639f2c2ebefb4f854d7cb34cc2966ee
parent 9b6fd93bb8b6c353f69771afab6c9aa5e437dd53

2015-06-24  Darin Adler  <darin@apple.com>

        Fix Array.concat with RuntimeArray (regression from my last patch)

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.

        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty): Added comment about use of
        JSArray::length here that is incorrect (in a really non-obvious way).
        (JSC::JSArray::fillArgList): Ditto.
        (JSC::JSArray::copyToArguments): Ditto.

        * runtime/JSArray.h: Added a comment explaining that it is not always
        safe to use JSArray::length.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@185904 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/runtime/JSArray.h

diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h
index af061507..72c4030 100644
--- a/Source/JavaScriptCore/runtime/JSArray.h
+++ b/Source/JavaScriptCore/runtime/JSArray.h
@@ -66,9 +66,11 @@
     JS_EXPORT_PRIVATE static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
 
     DECLARE_EXPORT_INFO;
-        
+
+    // OK if we know this is a JSArray, but not if it could be an object of a derived class; for RuntimeArray this always returns 0.
     unsigned length() const { return getArrayLength(); }
-    // OK to use on new arrays, but not if it might be a RegExpMatchArray.
+
+    // OK to use on new arrays, but not if it might be a RegExpMatchArray or RuntimeArray.
     JS_EXPORT_PRIVATE bool setLength(ExecState*, unsigned, bool throwException = false);
 
     JS_EXPORT_PRIVATE void push(ExecState*, JSValue);