diff --git a/WKC/WebKit/WKC/webkit/WKCVersion.h b/WKC/WebKit/WKC/webkit/WKCVersion.h index 5d5631a86..73447974a 100755 --- a/WKC/WebKit/WKC/webkit/WKCVersion.h +++ b/WKC/WebKit/WKC/webkit/WKCVersion.h @@ -29,7 +29,7 @@ #define WKC_VERSION_CHECK(major, minor, micro) \ (((major)*10000) + ((minor)*100) + (micro)) >= ((WKC_VERSION_MAJOR*10000) + (WKC_VERSION_MINOR*100) + (WKC_VERSION_MICRO)) -#define WKC_CUSTOMER_RELEASE_VERSION "0.6.9" +#define WKC_CUSTOMER_RELEASE_VERSION "0.6.10" #define WKC_WEBKIT_VERSION "601.6" diff --git a/webkit/JavaScriptCore/runtime/JSArray.cpp b/webkit/JavaScriptCore/runtime/JSArray.cpp index 168d3648e..f5d0e13e0 100755 --- a/webkit/JavaScriptCore/runtime/JSArray.cpp +++ b/webkit/JavaScriptCore/runtime/JSArray.cpp @@ -688,7 +688,12 @@ JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm)) return nullptr; - Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType); + JSGlobalObject* lexicalGlobalObject = exec.lexicalGlobalObject(); + Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(arrayType); + if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType()))) + return nullptr; + + ASSERT(!lexicalGlobalObject->isHavingABadTime()); JSArray* resultArray = JSArray::tryCreateUninitialized(vm, resultStructure, count); if (!resultArray) return nullptr; @@ -718,7 +723,12 @@ EncodedJSValue JSArray::fastConcatWith(ExecState& exec, JSArray& otherArray) unsigned otherArraySize = otherArray.m_butterfly->publicLength(); ASSERT(thisArraySize + otherArraySize < MIN_SPARSE_ARRAY_INDEX); - Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(newArrayType); + JSGlobalObject* lexicalGlobalObject = exec.lexicalGlobalObject(); + Structure* resultStructure = lexicalGlobalObject->arrayStructureForIndexingTypeDuringAllocation(newArrayType); + if (UNLIKELY(hasAnyArrayStorage(resultStructure->indexingType()))) + return JSValue::encode(throwOutOfMemoryError(&exec)); + + ASSERT(!lexicalGlobalObject->isHavingABadTime()); JSArray* resultArray = JSArray::tryCreateUninitialized(vm, resultStructure, thisArraySize + otherArraySize); if (!resultArray) return JSValue::encode(throwOutOfMemoryError(&exec));