[webkit-reviews] review denied: [Bug 53559] [V8] Accessing DataView with index of -1 returns 0, doesn't throw : [Attachment 80988] Proposed Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Feb 2 16:14:38 PST 2011
Kenneth Russell <kbr at google.com> has denied Jian Li <jianli at chromium.org>'s
request for review:
Bug 53559: [V8] Accessing DataView with index of -1 returns 0, doesn't throw
https://bugs.webkit.org/show_bug.cgi?id=53559
Attachment 80988: Proposed Patch
https://bugs.webkit.org/attachment.cgi?id=80988&action=review
------- Additional Comments from Kenneth Russell <kbr at google.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=80988&action=review
The new tests look good, but there is one issue with the new logic. Also, do
you know why this was working in the JSC bindings and not in V8? Both fetch the
offset argument to the getters/setters using a toUInt32 operation.
> Source/WebCore/html/canvas/DataView.h:78
> + inline bool beyondRange(unsigned byteOffset) const { return byteOffset >
m_byteLength || byteOffset + sizeof(T) > m_byteLength; }
I'm pretty sure the new logic should be "byteOffset >= m_byteLength". Feel free
to correct me if I'm wrong.
More information about the webkit-reviews
mailing list