Bug 6234 - Can delete array index property incorrectly.
Summary: Can delete array index property incorrectly.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 420+
Hardware: Other Linux
: P2 Normal
Assignee: Maciej Stachowiak
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-24 13:35 PST by Maks Orlovich
Modified: 2005-12-27 03:05 PST (History)
0 users

See Also:


Attachments
Maks's fix in patch form, with test case (3.30 KB, patch)
2005-12-27 03:04 PST, Maciej Stachowiak
mjs: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Maks Orlovich 2005-12-24 13:35:44 PST
See the following testcase:  
var a = new Array();  
a[1]     = 4;  
a['1.0'] = 5;  
delete a['1.0'];  
alert(a[1]);  
  
here, the alert at the end should IMHO return 4 (which FFox, WinIE, and Konq 
3.5 all do), and not Undefined as JSC seems to produce, as the property 1.0 
being  removed is not an array index (toString(toUint32('1.0')) != '1.0)  
  
I believe the following is the fix: 
--- array_object.cpp    (revision 489699)   
+++ array_object.cpp    (working copy)   
@@ -160,7 +160,7 @@ bool ArrayInstanceImp::deleteProperty(Ex   
     return false;   
   
   bool ok;   
-  uint32_t index = propertyName.toUInt32(&ok);   
+  uint32_t index = propertyName.toArrayIndex(&ok);   
   if (ok) {   
     if (index >= length)   
       return true;
Comment 1 Maciej Stachowiak 2005-12-27 03:04:09 PST
Created attachment 5297 [details]
Maks's fix in patch form, with test case
Comment 2 Maciej Stachowiak 2005-12-27 03:04:46 PST
Comment on attachment 5297 [details]
Maks's fix in patch form, with test case

r=me on Mak's fix