[Webkit-unassigned] [Bug 83780] New: negative length applied to Array#slice

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 12 06:44:48 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=83780

           Summary: negative length applied to Array#slice
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.7
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: andrea.giammarchi at gmail.com


this through the url bar or the console: [].slice.call({length:-1})

and bye bye browser ... in Firefox instant exception, in Opera.Next an Array with maximum possible length, both Webkit Nightly, Safari, and Chrome Canary get stuck.

Not sure if this is related to the loop here ... unsigned casts are all over the place so probably is this part that has something wrong ?
resObj->setLength(exec, n);
return JSValue::encode(result);

This is out of:
// http://svn.webkit.org/repository/webkit/trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

EncodedJSValue JSC_HOST_CALL arrayProtoFuncSlice(ExecState* exec)
{
    // http://developer.netscape.com/docs/manuals/js/client/jsref/array.htm#1193713 or 15.4.4.10
    JSObject* thisObj = exec->hostThisValue().toObject(exec);
    unsigned length = thisObj->get(exec, exec->propertyNames().length).toUInt32(exec);
    if (exec->hadException())
        return JSValue::encode(jsUndefined());

    // We return a new array
    JSArray* resObj = constructEmptyArray(exec);
    JSValue result = resObj;

    unsigned begin = argumentClampedIndexFromStartOrEnd(exec, 0, length);
    unsigned end = argumentClampedIndexFromStartOrEnd(exec, 1, length, length);

    unsigned n = 0;
    for (unsigned k = begin; k < end; k++, n++) {
        JSValue v = getProperty(exec, thisObj, k);
        if (exec->hadException())
            return JSValue::encode(jsUndefined());
        if (v)
            resObj->putDirectIndex(exec, n, v);
    }
    resObj->setLength(exec, n);
    return JSValue::encode(result);
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list