projects / profile / ivi / webkit-efl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 04585cb) | patch
Setting array index -1 and looping over array causes bad behavior
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 May 2012 01:34:01 +0000 (01:34 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 May 2012 01:34:01 +0000 (01:34 +0000)
commit73fbdf614d14953fdc723d916de320ebc8f244d8
tree3104921dc4302edaae55db682590b3f901868cc7tree | snapshot
parent04585cb3bccb8b2700aad3d1b6adb145e02cb2adcommit | diff
Setting array index -1 and looping over array causes bad behavior
https://bugs.webkit.org/show_bug.cgi?id=86733
<rdar://problem/11477670>

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

* dfg/DFGOperations.cpp:

LayoutTests:

* fast/js/dfg-negative-array-index-expected.txt: Added.
* fast/js/dfg-negative-array-index.html: Added.
* fast/js/script-tests/dfg-negative-array-index.js: Added.
(foo):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@117523 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog diff | blob | history
LayoutTests/fast/js/dfg-negative-array-index-expected.txt [new file with mode: 0644] blob
LayoutTests/fast/js/dfg-negative-array-index.html [new file with mode: 0644] blob
LayoutTests/fast/js/script-tests/dfg-negative-array-index.js [new file with mode: 0644] blob
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/dfg/DFGOperations.cpp diff | blob | history
Domain: Web Framework / Uncategorized;