[Webkit-unassigned] [Bug 86733] Setting array index -1 and looping over array causes bad behavior
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 17 18:34:14 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=86733
--- Comment #13 from Filip Pizlo <fpizlo at apple.com> 2012-05-17 18:33:18 PST ---
(In reply to comment #12)
> (From update of attachment 142602 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=142602&action=review
>
> r=me, but switch to Identifier::from() rather than using toString()
>
> > Source/JavaScriptCore/dfg/DFGOperations.cpp:465
> > + Identifier property(exec, jsNumber(index).toString(exec)->value(exec));
> > + PutPropertySlot slot(true);
>
> Use Identifier::from(exec, index)
>
> > Source/JavaScriptCore/dfg/DFGOperations.cpp:482
> > + Identifier property(exec, jsNumber(index).toString(exec)->value(exec));
>
> ditto
Ah! Changed to use ::from().
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list