[Webkit-unassigned] [Bug 86733] Setting array index -1 and looping over array causes bad behavior
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 17 18:28:47 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=86733
Oliver Hunt <oliver at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #142602|review? |review+
Flag| |
--- Comment #12 from Oliver Hunt <oliver at apple.com> 2012-05-17 18:27:51 PST ---
(From update of attachment 142602)
View in context: https://bugs.webkit.org/attachment.cgi?id=142602&action=review
r=me, but switch to Identifier::from() rather than using toString()
> Source/JavaScriptCore/dfg/DFGOperations.cpp:465
> + Identifier property(exec, jsNumber(index).toString(exec)->value(exec));
> + PutPropertySlot slot(true);
Use Identifier::from(exec, index)
> Source/JavaScriptCore/dfg/DFGOperations.cpp:482
> + Identifier property(exec, jsNumber(index).toString(exec)->value(exec));
ditto
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list