Bug 212167

Summary: Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Product: WebKit Reporter: Alexey Shvayka <ashvayka>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Minor CC: ews-watchlist, joepeck, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=163417
Attachments:
Description Flags
Patch none

Description Alexey Shvayka 2020-05-20 14:08:26 PDT 
Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1
Comment 1 Alexey Shvayka 2020-05-20 14:13:58 PDT 
Created attachment 399892 [details]
Patch
Comment 2 Saam Barati 2020-05-20 15:24:44 PDT 
Comment on attachment 399892 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=399892&action=review

> Source/JavaScriptCore/builtins/ArrayConstructor.js:72
> +            if (k >= @MAX_SAFE_INTEGER)

should be >, no?
Comment 3 Alexey Shvayka 2020-05-21 01:29:25 PDT 
(In reply to Saam Barati from comment #2)

Thank you for review, Saam!

> > Source/JavaScriptCore/builtins/ArrayConstructor.js:72
> > +            if (k >= @MAX_SAFE_INTEGER)
> 
> should be >, no?

ECMA-262 is consistent to use > for length checks and >= for indices; `k` is an index here.
I've vetted all 2 ** 53 - 1 checks in JSC, we are spec-perfect with this patch.
Comment 4 EWS 2020-05-21 01:41:26 PDT 
Committed r261987: <https://trac.webkit.org/changeset/261987>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 399892 [details].
Comment 5 Radar WebKit Bug Importer 2020-05-21 01:42:16 PDT 
<rdar://problem/63484485>