Closed
Bug 1461272
Opened 7 years ago
Closed 7 years ago
Missing sealed-elements check in js::ArraySetLength
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fixed |
People
(Reporter: anba, Assigned: jandem)
References
Details
Attachments
(1 file)
|
2.80 KB,
patch
|
anba
:
review+
|
Details | Diff | Splinter Review |
This fast path [1] must not be taken when the elements are sealed.
Test case:
---
var r = [1, 2, 3, 4];
Object.seal(r);
r.length = 0;
print(r);
---
Expected:
- Prints "1,2,3,4"
Actual:
- Prints ""
[1] https://searchfox.org/mozilla-central/rev/a85db9e29eb3f022dbaf8b9a6390ecbacf51e7dd/js/src/builtin/Array.cpp#783
|
Assignee | |
Comment 1•7 years ago
|
||
Good find. This was not a problem with frozen elements because frozen implies non-writable length.
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 2•7 years ago
|
||
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8975478 -
Flags: review?(andrebargull)
|
Reporter | |
Updated•7 years ago
|
Attachment #8975478 -
Flags: review?(andrebargull) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/10109d328995
Add missing sealed elements check to ArraySetLength fast path. r=anba
|
||
Comment 4•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•