WebKit Bugzilla
Attachment 339974 Details for
Bug 185476
: [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185476-20180509140644.patch (text/plain), 1.98 KB, created by
Leo Balter
on 2018-05-09 10:06:47 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Leo Balter
Created:
2018-05-09 10:06:47 PDT
Size:
1.98 KB
patch
obsolete
>Subversion Revision: 231554 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 89ab19be86bbc07f525384741d3c9737183ddc48..dda2ed1dec64846d6b7da349371d66d074f9f830 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,20 @@ >+2018-05-09 Leo Balter <leonardo.balter@gmail.com> >+ >+ [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array >+ Error found in the following Test262 tests: >+ >+ - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js >+ - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js >+ - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js >+ >+ The ArraySpeciesCreate should throw a RangeError with non-Array custom objects >+ presenting a length > 2**32-1 >+ https://bugs.webkit.org/show_bug.cgi?id=185476 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/ArrayPrototype.cpp: >+ > 2018-05-09 Srdjan Lazarevic <srdjan.lazarevic@rt-rk.com> > > [MIPS] Optimize generated JIT code using r2 >diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp >index 3e2843feae1ed344383f69a495540cfbb5a97756..124bd34bd4a765ca1f0f120e6f97bb935aaebbd7 100644 >--- a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp >+++ b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp >@@ -247,8 +247,11 @@ static ALWAYS_INLINE std::pair<SpeciesConstructResult, JSObject*> speciesConstru > if (constructor.isNull()) > return std::make_pair(SpeciesConstructResult::FastPath, nullptr);; > } >- } else >+ } else { >+ // If isArray is false, return ? ArrayCreate(length). > RETURN_IF_EXCEPTION(scope, exceptionResult()); >+ return std::make_pair(SpeciesConstructResult::FastPath, nullptr); >+ } > > if (constructor.isUndefined()) > return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339974">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185476
:
339969
|
339974
|
339977