for-of on dense array sees element at uninitialized index.

RESOLVED DUPLICATE of bug 726212

Status

()

Core
JavaScript Engine
RESOLVED DUPLICATE of bug 726212
6 years ago
6 years ago

People

(Reporter: Yusuke Suzuki, Unassigned)

Tracking

Trunk
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 596441 [details] [diff] [review]
v1, adding dense array length guard and array-holes-5.js test

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.46 Safari/535.11

Steps to reproduce:

ElementIteratorObject dense array fast path sees element at uninitialized index.

This bug is originally reported by caisui in https://bugzilla.mozilla.org/show_bug.cgi?id=699565#c32


Actual results:

ElementIteratorObject access invalid ptr and returns invalid value.
Or in debug build, assertion in getDenseArrayElement is trapped.


Expected results:

Only access dense array element directly if index is smaller than dense array initialized length.
(Reporter)

Updated

6 years ago
Attachment #596441 - Flags: review?(jorendorff)
Blocks: 699565
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #596441 - Attachment is patch: true
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 726212
Comment on attachment 596441 [details] [diff] [review]
v1, adding dense array length guard and array-holes-5.js test

Good catch. I already have a fix for this one. It should go in on Monday since the reviewer asked for another test.
Attachment #596441 - Flags: review?(jorendorff)
You need to log in before you can comment on or make changes to this bug.