[Webkit-unassigned] [Bug 83780] negative length applied to Array#slice
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 4 00:00:45 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=83780
Gavin Barraclough <barraclough at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution| |WORKSFORME
--- Comment #1 from Gavin Barraclough <barraclough at apple.com> 2012-09-04 00:00:57 PST ---
I think JSC is correct here.
The toUInt32 conversion is spec defined behavior (see 15.4.4.10 step 4), so your code fragment is asking the engine to inspect the this object for four billion possible properties. This takes a while. :-)
JSC does not provide a mechanism asynchronously interrupt execution; instead we rely on the browser killing the web process if it's not interested in waiting for the script to complete. If you try navigating in Safari you should be given the option to do so.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list