Summary: | Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1 | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Alexey Shvayka <ashvayka> | ||||
Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Minor | CC: | ews-watchlist, joepeck, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=163417 | ||||||
Attachments: |
|
Description
Alexey Shvayka
2020-05-20 14:08:26 PDT
Created attachment 399892 [details]
Patch
Comment on attachment 399892 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=399892&action=review > Source/JavaScriptCore/builtins/ArrayConstructor.js:72 > + if (k >= @MAX_SAFE_INTEGER) should be >, no? (In reply to Saam Barati from comment #2) Thank you for review, Saam! > > Source/JavaScriptCore/builtins/ArrayConstructor.js:72 > > + if (k >= @MAX_SAFE_INTEGER) > > should be >, no? ECMA-262 is consistent to use > for length checks and >= for indices; `k` is an index here. I've vetted all 2 ** 53 - 1 checks in JSC, we are spec-perfect with this patch. Committed r261987: <https://trac.webkit.org/changeset/261987> All reviewed patches have been landed. Closing bug and clearing flags on attachment 399892 [details]. |