Closed Bug 726411 Opened 13 years ago Closed 13 years ago

for-of on dense array sees element at uninitialized index.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 726212

People

(Reporter: utatane.tea, Unassigned)

References

Details

Attachments

(1 file)

v1, adding dense array length guard and array-holes-5.js test
1.18 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.46 Safari/535.11 Steps to reproduce: ElementIteratorObject dense array fast path sees element at uninitialized index. This bug is originally reported by caisui in https://bugzilla.mozilla.org/show_bug.cgi?id=699565#c32 Actual results: ElementIteratorObject access invalid ptr and returns invalid value. Or in debug build, assertion in getDenseArrayElement is trapped. Expected results: Only access dense array element directly if index is smaller than dense array initialized length.
Attachment #596441 - Flags: review?(jorendorff)
Blocks: 699565
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #596441 - Attachment is patch: true
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Comment on attachment 596441 [details] [diff] [review] v1, adding dense array length guard and array-holes-5.js test Good catch. I already have a fix for this one. It should go in on Monday since the reviewer asked for another test.
Attachment #596441 - Flags: review?(jorendorff)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: