Bug 664009 - Fix a minor array bug that happens to break some code. r=jwalden, a=clegnitto
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2759,17 +2759,18 @@ array_extra(JSContext *cx, ArrayExtraMod
* (and pre-size our map return to match our known length, for all cases).
*/
jsuint newlen;
JSObject *newarr;
#ifdef __GNUC__ /* quell GCC overwarning */
newlen = 0;
newarr = NULL;
#endif
- jsint start = 0, end = length, step = 1;
+ jsuint start = 0, end = length;
+ jsint step = 1;
switch (mode) {
case REDUCE_RIGHT:
start = length - 1, end = -1, step = -1;
/* FALL THROUGH */
case REDUCE:
if (length == 0 && argc == 1) {
JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
@@ -2828,17 +2829,17 @@ array_extra(JSContext *cx, ArrayExtraMod
return JS_FALSE;
MUST_FLOW_THROUGH("out");
JSBool ok = JS_TRUE;
JSBool cond;
Value objv = ObjectValue(*obj);
AutoValueRooter tvr(cx);
- for (jsint i = start; i != end; i += step) {
+ for (jsuint i = start; i != end; i += step) {
JSBool hole;
ok = JS_CHECK_OPERATION_LIMIT(cx) &&
GetElement(cx, obj, i, &hole, tvr.addr());
if (!ok)
goto out;
if (hole)
continue;
