[Webkit-unassigned] [Bug 86733] Setting array index -1 and looping over array causes bad behavior
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 17 17:54:21 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=86733
--- Comment #10 from Filip Pizlo <fpizlo at apple.com> 2012-05-17 17:53:24 PST ---
(In reply to comment #8)
> My guess is incorrect reification in an OSR exit, based purely on the symptoms
Nope, OSR is fine. It's the slow path C function that the DFG calls for out-of-bounds indices. It assumes that the value is non-negative even though the whole point of the function is to handle both negative and too-large positive indices.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list