Bug 25227

Summary: Array.filter triggers an assertion when the target array shrinks while being filtered
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
filter fixeration barraclough: review+

Oliver Hunt
Reported 2009-04-15 18:56:57 PDT
Array.filter uses unguarded accesses to array elements, but alas the array may be shrunk by the filter function, thus leading to badness
Attachments
filter fixeration (114.16 KB, patch)
2009-04-15 19:04 PDT, Oliver Hunt 		barraclough: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2009-04-15 19:04:04 PDT
Created attachment 29523 [details] filter fixeration
Oliver Hunt
Comment 2 2009-04-15 19:12:52 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/runtime/ArrayPrototype.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/array-enumerators-functions-expected.txt A LayoutTests/fast/js/array-enumerators-functions.html A LayoutTests/fast/js/resources/array-enumerators-functions.js Committed r42567
Note You need to log in before you can comment on or make changes to this bug.