Summary: | In a certain app state, Array.prototype.filter() returns incorrect results | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Ryan Grove <ryan> | ||||||||
Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | benjamin, mathias, msaboff, oliver | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | Mac | ||||||||||
OS: | OS X 10.9 | ||||||||||
URL: | http://jsbin.com/potewaye/13/edit?js,console | ||||||||||
Attachments: |
|
Description
Ryan Grove
2014-06-06 09:59:19 PDT
Original radar - <rdar://problem/17019752> Created attachment 232757 [details]
Patch
Comment on attachment 232757 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=232757&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:1714 > + bieq ArrayStorage::m_vector + TagOffset[t0, t3, 8], EmptyValueTag, .opPutByValArrayStorageEmpty Could you add a test to make sure that we don't call setters or anything when doing a put by val direct on a hole? Created attachment 232796 [details]
Patch with updated test from comment
Committed r169751: <http://trac.webkit.org/changeset/169751> Comment on attachment 232796 [details]
Patch with updated test from comment
r=me
|