120278 – JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it

Bug 120278 - JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it

Summary: JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on th...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-08-25 16:13 PDT by Mark Hahnenberg
Modified:	2013-08-26 13:28 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (1.70 KB, patch) 2013-08-25 16:15 PDT, Mark Hahnenberg	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2013-08-25 16:13:58 PDT

This is causing crashes.

Comment 1 Mark Hahnenberg 2013-08-25 16:15:06 PDT

Created attachment 209609 [details]
Patch

Comment 2 Geoffrey Garen 2013-08-26 09:32:45 PDT

Comment on attachment 209609 [details]
Patch

Can you add a test case for this?

Comment 3 Mark Hahnenberg 2013-08-26 09:51:48 PDT

(In reply to comment #2)
> (From update of attachment 209609 [details])
> Can you add a test case for this?

I'm working on one right now. It depends on fixing that issue where Object.defineProperty can't make ProeprtyDescriptor::m_attributes == 0.

Comment 4 Radar WebKit Bug Importer 2013-08-26 11:07:48 PDT

<rdar://problem/14836008>

Comment 5 Mark Hahnenberg 2013-08-26 13:28:03 PDT

Committed r154633: <http://trac.webkit.org/changeset/154633>