[Webkit-unassigned] [Bug 83780] negative length applied to Array#slice

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 4 01:17:50 PDT 2012


https://bugs.webkit.org/show_bug.cgi?id=83780





--- Comment #2 from Andrea Giammarchi <andrea.giammarchi at gmail.com>  2012-09-04 01:18:02 PST ---
I understand ... (ad this was quite old too) but in this way is too easy to crash a browser via malicious code. Don't you think? :-)

(In reply to comment #1)
> I think JSC is correct here.
> 
> The toUInt32 conversion is spec defined behavior (see 15.4.4.10 step 4), so your code fragment is asking the engine to inspect the this object for four billion possible properties.  This takes a while. :-)
> 
> JSC does not provide a mechanism asynchronously interrupt execution; instead we rely on the browser killing the web process if it's not interested in waiting for the script to complete.  If you try navigating in Safari you should be given the option to do so.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the webkit-unassigned mailing list