Closed
Bug 630945
Opened 15 years ago
Closed 15 years ago
ArrayObject.push assumes that dense arrays have length == dense.length
Categories
(Tamarin Graveyard :: Virtual Machine, defect)
Tamarin Graveyard
Virtual Machine
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: stejohns, Assigned: stejohns)
References
Details
Attachments
(2 files)
|
2.80 KB,
patch
|
rreitmai
:
review+
|
Details | Diff | Splinter Review |
|
2.29 KB,
patch
|
rreitmai
:
review+
|
Details | Diff | Splinter Review |
push() always adds at the array's "length" property, but a dense array's "denselength" might be less than this; AS3_push doesn't consider this, so it can "push" at the wrong location. (Astonishingly, we have no acceptance test for this.)
|
Assignee | |
Comment 1•15 years ago
|
||
Assignee: nobody → stejohns
Attachment #509183 -
Flags: review?(rreitmai)
|
|
Assignee | |
Comment 2•15 years ago
|
||
Attachment #509185 -
Flags: review?(rreitmai)
|
||
Comment 3•15 years ago
|
||
Comment on attachment 509185 [details] [diff] [review]
Patch for AS3_push
R+, appears to address the issue. This method is starting to fracture a bit at the seams; good candidate for re-factoring soon.
Attachment #509185 -
Flags: review?(rreitmai) → review+
|
|
||
Comment 4•15 years ago
|
||
Comment on attachment 509183 [details] [diff] [review]
Testcase demonstrating the bug
Not sure how the interplay of denseArray.length and denseStart are managed but wondering if we also need to look at unshift interaction.
Attachment #509183 -
Flags: review?(rreitmai) → review+
|
|
Assignee | |
Comment 5•15 years ago
|
||
TR 5869:368cba51fd02
|
|
Assignee | |
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•