From 3d3acb549a2a5ea5c22a690c1bfb064de2a96263 Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@gmail.com>
Date: Wed, 10 Aug 2016 15:46:30 +0200
Subject: [PATCH] Crash fix: Fix array splice implementation.

---
 js/src/jsarray.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index b4ff057b93..3d19f7f9a3 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2542,7 +2542,7 @@ js::array_splice_impl(JSContext* cx, unsigned argc, Value* vp, bool returnValueI
             Rooted<ArrayObject*> arr(cx, &obj->as<ArrayObject>());
             if (arr->lengthIsWritable()) {
                 NativeObject::EnsureDenseResult res =
-                    arr->ensureDenseElements(cx, arr->length(), itemCount - actualDeleteCount);
+                    arr->ensureDenseElements(cx, len, itemCount - actualDeleteCount);
                 if (res == NativeObject::ED_FAILED)
                     return false;
             }