-
peterwmwong authored
- Fixes and simplify allocating the temporary fixed array for ToString-ed elements. - When the array size is greater than representable by an intptr, it overflowed into a negative value causing a non-negative assert to fail. - Simplify fallback behavior by always allocating a conservatively sized temporary fixed array. Previously, if the array had dictionary elements, the temporary fixed array was sized based on %GetNumberDictionaryNumberOfElements() and then resized when entering the fallback. - Fixes related invalid string length handling. When the running total of the resulting string length overflowed or exceeded String::kMaxLength, a RangeError is thrown. Previously, this thrown RangeError bypassed JoinStackPop and left the receiver on the stack. Bug: chromium:897404 Change-Id: I157b71ef04ab06125a5b1c3454e5ed3713bdb591 Reviewed-on: https://chromium-review.googlesource.com/c/1293070 Commit-Queue: Peter Wong <peter.wm.wong@gmail.com> Reviewed-by:
Jakob Gruber <jgruber@chromium.org> Reviewed-by:
Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#56907}
ec969ea3
