[webkit-reviews] review granted: [Bug 164412] Object with numerical keys with gaps gets filled by NaN values : [Attachment 305999] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 31 12:56:49 PDT 2017
Mark Lam <mark.lam at apple.com> has granted GSkachkov <gskachkov at gmail.com>'s
request for review:
Bug 164412: Object with numerical keys with gaps gets filled by NaN values
https://bugs.webkit.org/show_bug.cgi?id=164412
Attachment 305999: Patch
https://bugs.webkit.org/attachment.cgi?id=305999&action=review
--- Comment #12 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 305999
--> https://bugs.webkit.org/attachment.cgi?id=305999
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=305999&action=review
> Source/JavaScriptCore/ChangeLog:11
> + The issue is appear when during invoking convertDoubleToArrayStorage
when array is filled by
> + pNaN and method converting it to real NaN. To fix issue we need to
check value and clear it
> + if in pNaN.
Please add a comment here that says that "a PNaN in a Double array is a hole,
and Double arrays cannot have NaN values."
> JSTests/stress/object-number-properties.js:35
> +assert(Object.keys(foo).length, 4);
Can you also some explicit asserts to ensure that the actual values also remain
the expected values (especially NaNs) after an indexing type conversion to
ArrayStorage, and didn't switch to a hole or something? Thanks.
More information about the webkit-reviews
mailing list