Created attachment 596441 [details] [diff] [review] v1, adding dense array length guard and array-holes-5.js test User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.46 Safari/535.11 Steps to reproduce: ElementIteratorObject dense array fast path sees element at uninitialized index. This bug is originally reported by caisui in https://bugzilla.mozilla.org/show_bug.cgi?id=699565#c32 Actual results: ElementIteratorObject access invalid ptr and returns invalid value. Or in debug build, assertion in getDenseArrayElement is trapped. Expected results: Only access dense array element directly if index is smaller than dense array initialized length.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 726212
Comment on attachment 596441 [details] [diff] [review] v1, adding dense array length guard and array-holes-5.js test Good catch. I already have a fix for this one. It should go in on Monday since the reviewer asked for another test.
You need to log in before you can comment on or make changes to this bug.