Bug 22201

Summary:

Caching of array length gives incorrect length for an array of maximum size

Product:

WebKit

Reporter:

Cameron Zwarich (cpst) <zwarich>

Component:

JavaScriptCore

Assignee:

Gavin Barraclough <barraclough>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough

Priority:

Keywords:

Regression

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Fix	zwarich: review+

Cameron Zwarich (cpst)

Reported 2008-11-12 01:56:01 PST

The following code prints the correct length 2 times, then -1 8 times: var largestInteger = 4294967295; var array = new Array(); array[largestInteger - 1] = "test"; for (var i = 0; i < 10; ++i) print(array.length); This is a regression of CTI with respect to bytecode.

Attachments
Fix (1.58 KB, patch) 2008-11-12 02:24 PST, Gavin Barraclough	zwarich: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Gavin Barraclough

Comment 1 2008-11-12 02:24:47 PST

Created attachment 25092 [details] Fix

Cameron Zwarich (cpst)

Comment 2 2008-11-12 02:27:12 PST

Comment on attachment 25092 [details] Fix r=me if you add the example given as a layout test in fast/js/pic.

Gavin Barraclough

Comment 3 2008-11-12 03:31:55 PST

Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/VM/CTI.cpp Sending LayoutTests/ChangeLog Adding LayoutTests/fast/js/pic/cached-array-length-access-expected.txt Adding LayoutTests/fast/js/pic/cached-array-length-access.html Transmitting file data ..... Committed revision 38334.

Note You need to log in before you can comment on or make changes to this bug.