nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/js/array-length-shortening.html

11 lines
261 B
HTML
Raw Permalink Normal View History

Crash when attempting to perform array iteration on a non-array with numeric keys not initialized. <https://webkit.org/b/137814> Reviewed by Geoffrey Garen. Source/JavaScriptCore: The arrayIteratorNextThunkGenerator() thunk was not checking for the case where the butterfly may be NULL. This was the source of the crash, and is now fixed. In addition, it is also not checking for the case where a property named "length" may have been set on the iterated object. The thunk only checks the butterfly's publicLength for its iteration operation. Array objects will work fine with this because it always updates its butterfly's publicLength when its length changes. In the case of iterable non-Array objects, the "length" property will require a look up outside of the scope of this thunk. The fix is simply to limit the fast case checks in this thunk to Array objects. * jit/ThunkGenerators.cpp: (JSC::arrayIteratorNextThunkGenerator): LayoutTests: * js/array-length-shortening-expected.txt: Added. * js/array-length-shortening.html: Added. * js/for-of-crash-expected.txt: Added. * js/for-of-crash.html: Added. * js/script-tests/array-length-shortening.js: Added. (testLengthShortening): (denseInt32Elements): (denseDoubleElements): (denseObjectElements): (holeyInt32Elements): (holeyDoubleElements): (holeyObjectElements): (arrayStorageInt32Elements): (arrayStorageDoubleElements): (arrayStorageObjectElements): (sparseInt32Elements): (sparseDoubleElements): (sparseObjectElements): * js/script-tests/for-of-crash.js: Added. (foo): Canonical link: https://commits.webkit.org/155970@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@175243 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2014-10-28 05:46:52 +00:00
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="../resources/js-test-pre.js"></script>
</head>
<body>
<script src="script-tests/array-length-shortening.js"></script>
<script src="../resources/js-test-post.js"></script>
</body>
</html>