[webkit-reviews] review granted: [Bug 131609] Array.prototype.concat should allocate output storage only once. : [Attachment 229273] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 14 01:35:58 PDT 2014
Darin Adler <darin at apple.com> has granted Andreas Kling <akling at apple.com>'s
request for review:
Bug 131609: Array.prototype.concat should allocate output storage only once.
https://bugs.webkit.org/show_bug.cgi?id=131609
Attachment 229273: Patch
https://bugs.webkit.org/attachment.cgi?id=229273&action=review
------- Additional Comments from Darin Adler <darin at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=229273&action=review
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:421
> + unsigned finalArraySize = 0;
This is unsigned.
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:423
> + for (size_t i = 0; i <= argCount; ++i) {
Yet this is size_t. What guarantees we don’t overflow the unsigned?
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:428
> + curArg = exec->uncheckedArgument(i);
A little lame to do this one extra time at the end of the loop but then discard
the result.
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:431
> + JSArray* arr = constructEmptyArray(exec, nullptr, finalArraySize);
Go nuts and call this array instead of arr?
More information about the webkit-reviews
mailing list