| Index: src/objects.cc
|
| diff --git a/src/objects.cc b/src/objects.cc
|
| index efeed9df8f72e35faee62a26660a2661b5963b4b..a3495900437a4ce04de0992c90945dd02fa34ec4 100644
|
| --- a/src/objects.cc
|
| +++ b/src/objects.cc
|
| @@ -9537,7 +9537,9 @@ void JSObject::GetLocalPropertyNames(FixedArray* storage, int index) {
|
| }
|
| ASSERT(storage->length() >= index);
|
| } else {
|
| - property_dictionary()->CopyKeysTo(storage, StringDictionary::UNSORTED);
|
| + property_dictionary()->CopyKeysTo(storage,
|
| + index,
|
| + StringDictionary::UNSORTED);
|
| }
|
| }
|
|
|
| @@ -10286,6 +10288,7 @@ template MaybeObject* Dictionary<NumberDictionaryShape, uint32_t>::Shrink(
|
|
|
| template void Dictionary<StringDictionaryShape, String*>::CopyKeysTo(
|
| FixedArray*,
|
| + int,
|
| Dictionary<StringDictionaryShape, String*>::SortMode);
|
|
|
| template int
|
| @@ -11415,11 +11418,11 @@ void StringDictionary::CopyEnumKeysTo(FixedArray* storage,
|
| template<typename Shape, typename Key>
|
| void Dictionary<Shape, Key>::CopyKeysTo(
|
| FixedArray* storage,
|
| + int index,
|
| typename Dictionary<Shape, Key>::SortMode sort_mode) {
|
| ASSERT(storage->length() >= NumberOfElementsFilterAttributes(
|
| static_cast<PropertyAttributes>(NONE)));
|
| int capacity = HashTable<Shape, Key>::Capacity();
|
| - int index = 0;
|
| for (int i = 0; i < capacity; i++) {
|
| Object* k = HashTable<Shape, Key>::KeyAt(i);
|
| if (HashTable<Shape, Key>::IsKey(k)) {
|
|
|
Chromium Code Reviews
Issue 7565009:
Fix out-of-bounds access in fetching propery names (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge