Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
https://bugs.webkit.org/show_bug.cgi?id=169783
Reviewed by Saam Barati.
JSTests:
* stress/regress-169783.js: Added.
Source/JavaScriptCore:
Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
succeeds.
* dfg/DFGOperations.cpp:
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateForInitializationPrivate):
(JSC::JSArray::fastSlice):
* runtime/JSArray.h:
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):
* runtime/RegExpMatchesArray.cpp:
(JSC::createEmptyRegExpMatchesArray):
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@214313 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/runtime/RegExpMatchesArray.h b/Source/JavaScriptCore/runtime/RegExpMatchesArray.h
index 9770ed3..64ceccb 100644
--- a/Source/JavaScriptCore/runtime/RegExpMatchesArray.h
+++ b/Source/JavaScriptCore/runtime/RegExpMatchesArray.h
@@ -81,7 +81,12 @@
if (UNLIKELY(globalObject->isHavingABadTime())) {
array = JSArray::tryCreateForInitializationPrivate(vm, &deferralContext, globalObject->regExpMatchesArrayStructure(), numSubpatterns + 1);
-
+ // FIXME: we should probably throw an out of memory error here, but
+ // when making this change we should check that all clients of this
+ // function will correctly handle an exception being thrown from here.
+ // https://bugs.webkit.org/show_bug.cgi?id=169786
+ RELEASE_ASSERT(array);
+
setProperties();
array->initializeIndexWithoutBarrier(0, jsSubstringOfResolved(vm, &deferralContext, input, result.start, result.end - result.start));
