Bug 107081

Summary: DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, mhahnenberg, msaboff
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Filip Pizlo 2013-01-16 18:31:03 PST 
<rdar://problem/12966526>
Comment 1 Filip Pizlo 2013-01-16 18:31:26 PST 
Already reviewed by Michael Saboff in person.
Comment 2 Filip Pizlo 2013-01-16 18:34:34 PST 
I couldn't easily come up with a good test case - this flaw would lead to code "just working" in a surprising number of cases.
Comment 3 Filip Pizlo 2013-01-16 18:34:44 PST 
Landed in http://trac.webkit.org/changeset/139949