25227 – Array.filter triggers an assertion when the target array shrinks while being filtered

RESOLVED FIXED 25227

Array.filter triggers an assertion when the target array shrinks while being filtered

https://bugs.webkit.org/show_bug.cgi?id=25227

Summary Array.filter triggers an assertion when the target array shrinks while being ...

Oliver Hunt

Reported 2009-04-15 18:56:57 PDT

Array.filter uses unguarded accesses to array elements, but alas the array may be shrunk by the filter function, thus leading to badness

Attachments
filter fixeration (114.16 KB, patch) 2009-04-15 19:04 PDT, Oliver Hunt	barraclough: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Oliver Hunt

Comment 1 2009-04-15 19:04:04 PDT

Created attachment 29523 [details] filter fixeration

Oliver Hunt

Comment 2 2009-04-15 19:12:52 PDT

Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/runtime/ArrayPrototype.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/array-enumerators-functions-expected.txt A LayoutTests/fast/js/array-enumerators-functions.html A LayoutTests/fast/js/resources/array-enumerators-functions.js Committed r42567

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac

OS OS X 10.5

Product WebKit

Component JavaScriptCore

Assignee

Oliver Hunt

Reported

2009-04-15 18:56 PDT

Modified

2009-04-15 19:12 PDT History

CC List

0 users

URL

Keywords

Depends on

Blocks