[Webkit-unassigned] [Bug 137814] New: crash when attempting to perform array iteration on a non-array with numeric keys not initialized

Fri Oct 17 02:16:25 PDT 2014

https://bugs.webkit.org/show_bug.cgi?id=137814

            Bug ID: 137814
           Summary: crash when attempting to perform array iteration on a
                    non-array with numeric keys not initialized
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Macintosh Intel
                OS: Mac OS X 10.9
            Status: NEW
          Severity: Major
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: claude.pache at gmail.com

The following JS code will crash WebKit.

    var b = Object.create(Array.iterator)
    for (var x of b) { console.log(x) } // boom

The crash does not occur (and standard Array iteration is triggered) when some numeric key of the iterated object was initialized.

    var b = Object.create(Array.iterator)
    b[3] = 42
    for (var x of b) { console.log(x) } // no crash

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141017/cde132bf/attachment-0002.html>