Bug 212167

Summary: Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Product: WebKit Reporter: Alexey Shvayka <ashvayka>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Minor CC: ews-watchlist, joepeck, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=163417
Attachments:
Description Flags
Patch none

Alexey Shvayka
Reported 2020-05-20 14:08:26 PDT
Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Attachments
Patch (6.86 KB, patch)
2020-05-20 14:13 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2020-05-20 14:13:58 PDT
Created attachment 399892 [details] Patch
Saam Barati
Comment 2 2020-05-20 15:24:44 PDT
Comment on attachment 399892 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=399892&action=review > Source/JavaScriptCore/builtins/ArrayConstructor.js:72 > + if (k >= @MAX_SAFE_INTEGER) should be >, no?
Alexey Shvayka
Comment 3 2020-05-21 01:29:25 PDT
(In reply to Saam Barati from comment #2) Thank you for review, Saam! > > Source/JavaScriptCore/builtins/ArrayConstructor.js:72 > > + if (k >= @MAX_SAFE_INTEGER) > > should be >, no? ECMA-262 is consistent to use > for length checks and >= for indices; `k` is an index here. I've vetted all 2 ** 53 - 1 checks in JSC, we are spec-perfect with this patch.
EWS
Comment 4 2020-05-21 01:41:26 PDT
Committed r261987: <https://trac.webkit.org/changeset/261987> All reviewed patches have been landed. Closing bug and clearing flags on attachment 399892 [details].
Radar WebKit Bug Importer
Comment 5 2020-05-21 01:42:16 PDT
<rdar://problem/63484485>
Note You need to log in before you can comment on or make changes to this bug.