120278 – JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it

RESOLVED FIXED 120278

JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it

https://bugs.webkit.org/show_bug.cgi?id=120278

Summary JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on th...

Mark Hahnenberg

Reported 2013-08-25 16:13:58 PDT

This is causing crashes.

Attachments
Patch (1.70 KB, patch) 2013-08-25 16:15 PDT, Mark Hahnenberg	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Hahnenberg

Comment 1 2013-08-25 16:15:06 PDT

Created attachment 209609 [details] Patch

Geoffrey Garen

Comment 2 2013-08-26 09:32:45 PDT

Comment on attachment 209609 [details] Patch Can you add a test case for this?

Mark Hahnenberg

Comment 3 2013-08-26 09:51:48 PDT

(In reply to comment #2) > (From update of attachment 209609 [details]) > Can you add a test case for this? I'm working on one right now. It depends on fixing that issue where Object.defineProperty can't make ProeprtyDescriptor::m_attributes == 0.

Radar WebKit Bug Importer

Comment 4 2013-08-26 11:07:48 PDT

<rdar://problem/14836008>

Mark Hahnenberg

Comment 5 2013-08-26 13:28:03 PDT

Committed r154633: <http://trac.webkit.org/changeset/154633>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Mark Hahnenberg

Reported

2013-08-25 16:13 PDT

Modified

2013-08-26 13:28 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks