Bug 107081 - DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
Summary: DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2013-01-16 18:31 PST by Filip Pizlo
Modified: 2013-01-16 18:34 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2013-01-16 18:31:03 PST 
<rdar://problem/12966526>
Comment 1 Filip Pizlo 2013-01-16 18:31:26 PST 
Already reviewed by Michael Saboff in person.
Comment 2 Filip Pizlo 2013-01-16 18:34:34 PST 
I couldn't easily come up with a good test case - this flaw would lead to code "just working" in a surprising number of cases.
Comment 3 Filip Pizlo 2013-01-16 18:34:44 PST 
Landed in http://trac.webkit.org/changeset/139949