[webkit-reviews] review granted: [Bug 173506] ArrayPrototype methods should use JSValue::toLength for non-Arrays. : [Attachment 313176] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 16 20:54:26 PDT 2017
Ryosuke Niwa <rniwa at webkit.org> has granted Keith Miller
<keith_miller at apple.com>'s request for review:
Bug 173506: ArrayPrototype methods should use JSValue::toLength for non-Arrays.
https://bugs.webkit.org/show_bug.cgi?id=173506
Attachment 313176: Patch
https://bugs.webkit.org/attachment.cgi?id=313176&action=review
--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 313176
--> https://bugs.webkit.org/attachment.cgi?id=313176
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=313176&action=review
> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1087
> + if (UNLIKELY(doubleLength + static_cast<double>(nrArgs) >
maxSafeInteger()))
> + return throwVMTypeError(exec, scope, ASCIILiteral("Cannot shift
to offset greater than (2 ** 53) - 1"));
It's probably worth pointing out in the change log that this is what you're
fixing.
> Source/JavaScriptCore/runtime/JSCJSValue.cpp:65
> + return maxSafeInteger(); // 2 ** 53 - 1
Seems like this comment is useless now. Remove?
More information about the webkit-reviews
mailing list