22201 – Caching of array length gives incorrect length for an array of maximum size

RESOLVED FIXED 22201

Caching of array length gives incorrect length for an array of maximum size

https://bugs.webkit.org/show_bug.cgi?id=22201

Summary Caching of array length gives incorrect length for an array of maximum size

Cameron Zwarich (cpst)

Reported 2008-11-12 01:56:01 PST

The following code prints the correct length 2 times, then -1 8 times: var largestInteger = 4294967295; var array = new Array(); array[largestInteger - 1] = "test"; for (var i = 0; i < 10; ++i) print(array.length); This is a regression of CTI with respect to bytecode.

Attachments
Fix (1.58 KB, patch) 2008-11-12 02:24 PST, Gavin Barraclough	zwarich: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Gavin Barraclough

Comment 1 2008-11-12 02:24:47 PST

Created attachment 25092 [details] Fix

Cameron Zwarich (cpst)

Comment 2 2008-11-12 02:27:12 PST

Comment on attachment 25092 [details] Fix r=me if you add the example given as a layout test in fast/js/pic.

Gavin Barraclough

Comment 3 2008-11-12 03:31:55 PST

Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/VM/CTI.cpp Sending LayoutTests/ChangeLog Adding LayoutTests/fast/js/pic/cached-array-length-access-expected.txt Adding LayoutTests/fast/js/pic/cached-array-length-access.html Transmitting file data ..... Committed revision 38334.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Gavin Barraclough

Reported

2008-11-12 01:56 PST

Modified

2008-11-12 03:31 PST History

CC List

1 user Show

URL

Keywords Regression

Depends on

Blocks