[webkit-reviews] review denied: [Bug 120389] JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector : [Attachment 209836] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 27 21:39:20 PDT 2013
Filip Pizlo <fpizlo at apple.com> has denied review:
Bug 120389: JSArray::shiftCountWithArrayStorage doesn't change indexBias when
shifting the last element in m_vector
https://bugs.webkit.org/show_bug.cgi?id=120389
Attachment 209836: Patch
https://bugs.webkit.org/attachment.cgi?id=209836&action=review
------- Additional Comments from Filip Pizlo <fpizlo at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=209836&action=review
> Source/JavaScriptCore/runtime/JSArray.cpp:729
> + return true;
> }
> +
> + storage->m_indexBias += count;
> return true;
This looks like it's introducing a new bug: the (startIndex < usedVectorLength
- (startIndex + count)) == true case already adds count to indexBias. So now
you're adding it twice.
More information about the webkit-reviews
mailing list