[webkit-reviews] review granted: [Bug 215897] [JSC] setLength in Array#push could get very large length : [Attachment 407422] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 27 12:34:48 PDT 2020
Keith Miller <keith_miller at apple.com> has granted Yusuke Suzuki
<ysuzuki at apple.com>'s request for review:
Bug 215897: [JSC] setLength in Array#push could get very large length
https://bugs.webkit.org/show_bug.cgi?id=215897
Attachment 407422: Patch
https://bugs.webkit.org/attachment.cgi?id=407422&action=review
--- Comment #3 from Keith Miller <keith_miller at apple.com> ---
Comment on attachment 407422
--> https://bugs.webkit.org/attachment.cgi?id=407422
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review
r=me with nits.
> Source/JavaScriptCore/ChangeLog:10
> + Before r266215, it was using putLength which throws an error. But it
is replaced with setLength,
Nit: But it *was* replaced.
> Source/JavaScriptCore/ChangeLog:11
> + and JSC::setLength assumes that this never gets such a length with
an assertion. We should fix it
Nit: assumes that *it* never gets *a length greater than UINT32_MAX by
asserting*.
More information about the webkit-reviews
mailing list